-
Notifications
You must be signed in to change notification settings - Fork 79
/
delexclusion.cna
116 lines (83 loc) · 3.75 KB
/
delexclusion.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# author REDMED-X
beacon_command_register(
"delexclusion", "Delete an exclusion from Windows Defender for a folder, file, process or extension.",
"INFO:\nDelete an exclusion from Windows Defender for a folder, file, process or extension. \n\n" .
"ARGUMENTS:\n[<exclusion type>]: specify one of the following exclusion types you want to delete: path (file/folder), process, extension.\n[<exclusion name>]: specify the exclusion data/name that you want to delete.\n\n" .
"USAGE:\ndelexclusion <exclusion type> <exclusion data>\n\n" .
"EXAMPLES:\ndelexclusion path C:\\Users\\Public\\Downloads\ndelexclusion process C:\\Windows\\System32\\example.exe\n\n");
alias delexclusion {
$bid = $1;
$excltype = $2;
$excldata = $3;
if ($excltype eq "") {
berror($bid, "Please specify one of the following extension types: path | process | extension.\n");
return;
}
if ($excltype eq "path" || $excltype eq "process" || $excltype eq "extension") {
if ($excldata eq "") {
berror($bid, "Please specify the exclusion data/name that you want to delete.\n");
return;
}
}
else {
berror($bid, "This exclusion type isn't supported. Please specify one of the following options: path | process | extension.\n");
return;
}
# Read in the right BOF file
$handle = openf(script_resource("delexclusion.o"));
$data = readb($handle, -1);
closef($handle);
# Pack our arguments
$arg_data = bof_pack($bid, "zZ", $excltype, $excldata);
blog($bid, "Tasked to add a new exclusion..");
beacon_inline_execute($bid, $data, "go", $arg_data);
}
beacon_command_register(
"delfirewallrule", "Delete a firewall rule.",
"INFO:\nDelete a firewall rule using COM.\n\n" .
"ARGUMENTS:\n[<rule name>]: the name of the firewall rule you want to delete.\n\n" .
"USAGE:\ndelfirewallrule \"<rule name>\"\n\n" .
"EXAMPLES:\ndelfirewallrule \"ExampleRuleName1\"\n\n");
alias delfirewallrule {
$bid = $1;
$name = $2;
if ($name eq "") {
berror($bid, "Please specify the name of the firewall rule you want to delete.\n");
return;
}
# Read in the right BOF file
$handle = openf(script_resource("DelFirewallRule/delfirewallrule.o"));
$data = readb($handle, -1);
closef($handle);
# Pack our arguments
$arg_data = bof_pack($bid, "Z", $name);
blog($bid, "Tasked to delete a new firewall rule..");
beacon_inline_execute($bid, $data, "go", $arg_data);
}
beacon_command_register(
"dellocalcert", "Delete a local computer certificate from a specific store.",
"INFO:\nDelete a local computer certificate from a specified store based on its unique thumbprint.\n\n" .
"ARGUMENTS:\n[<store name>]: the name of the certificate store from which to delete the certificate.\n[<thumbprint>]: the thumbprint of the certificate that you want to delete in format (all caps): AABBCCDDEEFF00112233445566778899AABBCCDD.\n\n" .
"USAGE:\ndellocalcert <store name> <thumbprint>\n\n" .
"EXAMPLES:\ndellocalcert ROOT AABBCCDDEEFF00112233445566778899AABBCCDD\n\n");
alias dellocalcert {
$bid = $1;
$store = $2;
$thumbprint = $3;
if ($store eq "") {
berror($bid, "Please specify a valid local computer certificate store name like ROOT.\n");
return;
}
if ($thumbprint eq "") {
berror($bid, "Please specify the thumbprint for the certificate that you want to delete from the store.\n");
return;
}
# Read in the right BOF file
$handle = openf(script_resource("DelLocalCert/dellocalcert.o"));
$data = readb($handle, -1);
closef($handle);
# Pack our arguments
$arg_data = bof_pack($bid, "Zz", $store, $thumbprint);
blog($bid, "Tasked to delete a certificate..");
beacon_inline_execute($bid, $data, "go", $arg_data);
}